North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: NAT etc. (was: Spam Control Considered Harmful)
[ I just removed these addresses: [email protected] [email protected] [email protected] [email protected] [email protected] ...from the recipient list, since I know they are all on NANOG. I would not be offended by each of the above people thanking me publically for not making them see two copies of this reply. Perhaps that would set some kind of an example for the rest of the audience, most of whom just say "reply-all". ] Havard said: > ...which brings me to think if it isn't so that Secure DNS (at > least as currently specified) and widespread deployment of NAT > boxes which fiddle with the contents of DNS reply/request packets > isn't exactly a properly working combination. As I understand it > you can have NAT or Secure DNS with e.g. signed A records but you > can't (easily?) have both. This is a misdirected concern. DNS clients inside a NAT cloud are already proscribed from seeing DNS data from other NAT clouds or from the Internet itself. The NAT technology has to strip off DNSSEC stuff when it imports data but it tends to strip off DNS delegation and authority data as well, and tends to alter the address and mail exchange records. NAT borders are already DNS endpoints, with or without DNSSEC. Whether and how to regenerate external DNS inside a NAT cloud is a matter of NAT implementation, but the fact that it's _regenerated_, not forwarded or recursed, is a design constant.
|