|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: NAT etc. (was: Spam Control Considered Harmful)
On Sat, Nov 01, 1997 at 07:44:55PM -0600, Tim Salo wrote: > > Date: Sat, 1 Nov 1997 17:37:57 -0500 > > From: "Jay R. Ashworth" <[email protected]> > > To: "You're welcome" <[email protected]> > > Subject: Re: NAT etc. (was: Spam Control Considered Harmful) > > [...] > > Well, yes, Paul, but unless I misunderstood you, that's exactly the > > point. If a client inside a NAT cloud does a DNS lookup to a > > supposedly authoritative server outside, and the NAT box is _required_ > > to strip off the signature (which it would, because it has to change > > the data), then it's not possibile, by definition, for any client > > inside such a NAT box to make any use of SecDNS. > > > > The point is that you _can't_ regenerate the signature, usefully to the > > client, anyway, precisely because _it is a signature_. > > Presumably, the NAT could, > > o Verify the signature of the DNS responses it receives, and > dump any responses that don't meet its [authentication] > criteria, or > > o Sign the the response it creates and let the client verify > the NAT's signature. Presumably, the client will trust > the NAT. Yup, it could, but as I noted to Paul, in the cases Sean is advocating, the client and the NAT box may not be within the same span of administration, either. IE: no, you may _not_ trust the NAT op. Cheers, -- jra -- Jay R. Ashworth [email protected] Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "Pedantry. It's not just a job, it's an Tampa Bay, Florida adventure." -- someone on AFU +1 813 790 7592
|