North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: NAT etc. (was: Spam Control Considered Harmful)
On Sat, Nov 01, 1997 at 12:34:13PM -0800, Paul A Vixie wrote: > Havard said: > > ...which brings me to think if it isn't so that Secure DNS (at > > least as currently specified) and widespread deployment of NAT > > boxes which fiddle with the contents of DNS reply/request packets > > isn't exactly a properly working combination. As I understand it > > you can have NAT or Secure DNS with e.g. signed A records but you > > can't (easily?) have both. > > This is a misdirected concern. DNS clients inside a NAT cloud are > already proscribed from seeing DNS data from other NAT clouds or from > the Internet itself. The NAT technology has to strip off DNSSEC stuff > when it imports data but it tends to strip off DNS delegation and > authority data as well, and tends to alter the address and mail exchange > records. NAT borders are already DNS endpoints, with or without DNSSEC. > Whether and how to regenerate external DNS inside a NAT cloud is a matter > of NAT implementation, but the fact that it's _regenerated_, not forwarded > or recursed, is a design constant. Well, yes, Paul, but unless I misunderstood you, that's exactly the point. If a client inside a NAT cloud does a DNS lookup to a supposedly authoritative server outside, and the NAT box is _required_ to strip off the signature (which it would, because it has to change the data), then it's not possibile, by definition, for any client inside such a NAT box to make any use of SecDNS. The point is that you _can't_ regenerate the signature, usefully to the client, anyway, precisely because _it is a signature_. Cheers, -- jra -- Jay R. Ashworth [email protected] Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "Pedantry. It's not just a job, it's an Tampa Bay, Florida adventure." -- someone on AFU +1 813 790 7592
|