NAT etc. (was: Spam Control Considered Harmful)
Jay R. Ashworth
jra at scfn.thpl.lib.fl.us
Sat Nov 1 22:37:57 UTC 1997
On Sat, Nov 01, 1997 at 12:34:13PM -0800, Paul A Vixie wrote:
> Havard said:
> > ...which brings me to think if it isn't so that Secure DNS (at
> > least as currently specified) and widespread deployment of NAT
> > boxes which fiddle with the contents of DNS reply/request packets
> > isn't exactly a properly working combination. As I understand it
> > you can have NAT or Secure DNS with e.g. signed A records but you
> > can't (easily?) have both.
>
> This is a misdirected concern. DNS clients inside a NAT cloud are
> already proscribed from seeing DNS data from other NAT clouds or from
> the Internet itself. The NAT technology has to strip off DNSSEC stuff
> when it imports data but it tends to strip off DNS delegation and
> authority data as well, and tends to alter the address and mail exchange
> records. NAT borders are already DNS endpoints, with or without DNSSEC.
> Whether and how to regenerate external DNS inside a NAT cloud is a matter
> of NAT implementation, but the fact that it's _regenerated_, not forwarded
> or recursed, is a design constant.
Well, yes, Paul, but unless I misunderstood you, that's exactly the
point. If a client inside a NAT cloud does a DNS lookup to a
supposedly authoritative server outside, and the NAT box is _required_
to strip off the signature (which it would, because it has to change
the data), then it's not possibile, by definition, for any client
inside such a NAT box to make any use of SecDNS.
The point is that you _can't_ regenerate the signature, usefully to the
client, anyway, precisely because _it is a signature_.
Cheers,
-- jra
--
Jay R. Ashworth jra at baylink.com
Member of the Technical Staff Unsolicited Commercial Emailers Sued
The Suncoast Freenet "Pedantry. It's not just a job, it's an
Tampa Bay, Florida adventure." -- someone on AFU +1 813 790 7592
More information about the NANOG
mailing list