[13297] in North American Network Operators' Group
Re: NAT etc. (was: Spam Control Considered Harmful)
daemon@ATHENA.MIT.EDU (Jay R. Ashworth)
Sat Nov 1 17:46:53 1997
Date: Sat, 1 Nov 1997 17:37:57 -0500
From: "Jay R. Ashworth" <jra@scfn.thpl.lib.fl.us>
To: "You're welcome" <nanog@merit.edu>
In-Reply-To: <199711012034.MAA01352@wisdom.rc.vix.com>; from Paul A Vixie <paul@vix.com> on Sat, Nov 01, 1997 at 12:34:13PM -0800
On Sat, Nov 01, 1997 at 12:34:13PM -0800, Paul A Vixie wrote:
> Havard said:
> > ...which brings me to think if it isn't so that Secure DNS (at
> > least as currently specified) and widespread deployment of NAT
> > boxes which fiddle with the contents of DNS reply/request packets
> > isn't exactly a properly working combination. As I understand it
> > you can have NAT or Secure DNS with e.g. signed A records but you
> > can't (easily?) have both.
>
> This is a misdirected concern. DNS clients inside a NAT cloud are
> already proscribed from seeing DNS data from other NAT clouds or from
> the Internet itself. The NAT technology has to strip off DNSSEC stuff
> when it imports data but it tends to strip off DNS delegation and
> authority data as well, and tends to alter the address and mail exchange
> records. NAT borders are already DNS endpoints, with or without DNSSEC.
> Whether and how to regenerate external DNS inside a NAT cloud is a matter
> of NAT implementation, but the fact that it's _regenerated_, not forwarded
> or recursed, is a design constant.
Well, yes, Paul, but unless I misunderstood you, that's exactly the
point. If a client inside a NAT cloud does a DNS lookup to a
supposedly authoritative server outside, and the NAT box is _required_
to strip off the signature (which it would, because it has to change
the data), then it's not possibile, by definition, for any client
inside such a NAT box to make any use of SecDNS.
The point is that you _can't_ regenerate the signature, usefully to the
client, anyway, precisely because _it is a signature_.
Cheers,
-- jra
--
Jay R. Ashworth jra@baylink.com
Member of the Technical Staff Unsolicited Commercial Emailers Sued
The Suncoast Freenet "Pedantry. It's not just a job, it's an
Tampa Bay, Florida adventure." -- someone on AFU +1 813 790 7592
