On Sat, Nov 01, 1997 at 12:34:13PM -0800, Paul A Vixie wrote:
Havard said:
...which brings me to think if it isn't so that Secure DNS (at least as currently specified) and widespread deployment of NAT boxes which fiddle with the contents of DNS reply/request packets isn't exactly a properly working combination. As I understand it you can have NAT or Secure DNS with e.g. signed A records but you can't (easily?) have both.
This is a misdirected concern. DNS clients inside a NAT cloud are already proscribed from seeing DNS data from other NAT clouds or from the Internet itself. The NAT technology has to strip off DNSSEC stuff when it imports data but it tends to strip off DNS delegation and authority data as well, and tends to alter the address and mail exchange records. NAT borders are already DNS endpoints, with or without DNSSEC. Whether and how to regenerate external DNS inside a NAT cloud is a matter of NAT implementation, but the fact that it's _regenerated_, not forwarded or recursed, is a design constant.
Well, yes, Paul, but unless I misunderstood you, that's exactly the point. If a client inside a NAT cloud does a DNS lookup to a supposedly authoritative server outside, and the NAT box is _required_ to strip off the signature (which it would, because it has to change the data), then it's not possibile, by definition, for any client inside such a NAT box to make any use of SecDNS. The point is that you _can't_ regenerate the signature, usefully to the client, anyway, precisely because _it is a signature_. Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "Pedantry. It's not just a job, it's an Tampa Bay, Florida adventure." -- someone on AFU +1 813 790 7592