Date: Sat, 1 Nov 1997 17:37:57 -0500 From: "Jay R. Ashworth" <jra@scfn.thpl.lib.fl.us> To: "You're welcome" <nanog@merit.edu> Subject: Re: NAT etc. (was: Spam Control Considered Harmful) [...] Well, yes, Paul, but unless I misunderstood you, that's exactly the point. If a client inside a NAT cloud does a DNS lookup to a supposedly authoritative server outside, and the NAT box is _required_ to strip off the signature (which it would, because it has to change the data), then it's not possibile, by definition, for any client inside such a NAT box to make any use of SecDNS.
The point is that you _can't_ regenerate the signature, usefully to the client, anyway, precisely because _it is a signature_.
Presumably, the NAT could, o Verify the signature of the DNS responses it receives, and dump any responses that don't meet its [authentication] criteria, or o Sign the the response it creates and let the client verify the NAT's signature. Presumably, the client will trust the NAT. -tjs