nanog mailing list archives
Re: NAT etc. (was: Spam Control Considered Harmful)
From: "Jay R. Ashworth" <jra () scfn thpl lib fl us>
Date: Sat, 1 Nov 1997 17:37:57 -0500
On Sat, Nov 01, 1997 at 12:34:13PM -0800, Paul A Vixie wrote:
Havard said:...which brings me to think if it isn't so that Secure DNS (at least as currently specified) and widespread deployment of NAT boxes which fiddle with the contents of DNS reply/request packets isn't exactly a properly working combination. As I understand it you can have NAT or Secure DNS with e.g. signed A records but you can't (easily?) have both.This is a misdirected concern. DNS clients inside a NAT cloud are already proscribed from seeing DNS data from other NAT clouds or from the Internet itself. The NAT technology has to strip off DNSSEC stuff when it imports data but it tends to strip off DNS delegation and authority data as well, and tends to alter the address and mail exchange records. NAT borders are already DNS endpoints, with or without DNSSEC. Whether and how to regenerate external DNS inside a NAT cloud is a matter of NAT implementation, but the fact that it's _regenerated_, not forwarded or recursed, is a design constant.
Well, yes, Paul, but unless I misunderstood you, that's exactly the point. If a client inside a NAT cloud does a DNS lookup to a supposedly authoritative server outside, and the NAT box is _required_ to strip off the signature (which it would, because it has to change the data), then it's not possibile, by definition, for any client inside such a NAT box to make any use of SecDNS. The point is that you _can't_ regenerate the signature, usefully to the client, anyway, precisely because _it is a signature_. Cheers, -- jra -- Jay R. Ashworth jra () baylink com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "Pedantry. It's not just a job, it's an Tampa Bay, Florida adventure." -- someone on AFU +1 813 790 7592
Current thread:
- Re: moving to IPv6, (continued)
- Re: moving to IPv6 Sean M. Doran (Nov 11)
- Re: Spam Control Considered Harmful Bill Becker (Nov 01)
- Re: Spam Control Considered Harmful Greg A. Woods (Nov 01)
- Re: Spam Control Considered Harmful Sean M. Doran (Nov 01)
- Re: NAT etc. (was: Spam Control Considered Harmful) Havard . Eidnes (Nov 01)
- Re: NAT etc. (was: Spam Control Considered Harmful) Paul A Vixie (Nov 01)
- Re: NAT etc. (was: Spam Control Considered Harmful) bmanning (Nov 01)
- Re: NAT etc. (was: Spam Control Considered Harmful) Greg A. Woods (Nov 01)
- Re: NAT etc. (was: Spam Control Considered Harmful) Eric M. Carroll (Nov 01)
- Re: NAT etc. (was: Spam Control Considered Harmful) Paul A Vixie (Nov 01)
- Message not available
- Re: NAT etc. (was: Spam Control Considered Harmful) Jay R. Ashworth (Nov 01)
- Re: NAT etc. (was: Spam Control Considered Harmful) Paul A Vixie (Nov 01)
- Message not available
- Re: NAT etc. (was: Spam Control Considered Harmful) Jay R. Ashworth (Nov 02)
- Re: NAT etc. (was: Spam Control Considered Harmful) Alan Hannan (Nov 02)
- Message not available
- Re: NAT etc. (was: Spam Control Considered Harmful) Jay R. Ashworth (Nov 03)
- Re: NAT etc. (was: Spam Control Considered Harmful) Havard . Eidnes (Nov 01)
- Re: NAT etc. (was: Spam Control Considered Harmful) Brett Frankenberger (Nov 02)
- Re: NAT etc. (was: Spam Control Considered Harmful) Paul A Vixie (Nov 02)