NAT etc. (was: Spam Control Considered Harmful)

• Previous message (by thread): NAT etc. (was: Spam Control Considered Harmful)
• Next message (by thread): Communities
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Date: Sat, 1 Nov 1997 17:37:57 -0500
> From: "Jay R. Ashworth" <jra at scfn.thpl.lib.fl.us>
> To: "You're welcome" <nanog at merit.edu>
> Subject: Re: NAT etc. (was: Spam Control Considered Harmful)
> 	[...]
> Well, yes, Paul, but unless I misunderstood you, that's exactly the
> point.  If a client inside a NAT cloud does a DNS lookup to a
> supposedly authoritative server outside, and the NAT box is _required_
> to strip off the signature (which it would, because it has to change
> the data), then it's not possibile, by definition, for any client
> inside such a NAT box to make any use of SecDNS.
> 
> The point is that you _can't_ regenerate the signature, usefully to the
> client, anyway, precisely because _it is a signature_.

Presumably, the NAT could,

o	Verify the signature of the DNS responses it receives, and
	dump any responses that don't meet its [authentication]
	criteria, or

o	Sign the the response it creates and let the client verify
	the NAT's signature.  Presumably, the client will trust
	the NAT.

-tjs

• Previous message (by thread): NAT etc. (was: Spam Control Considered Harmful)
• Next message (by thread): Communities
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]