[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RRG] Mitigating the Downsides of NAT'ing



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Christian Vogt wrote:
>      (1a)  Both edge and transit addresses are returned in standard
>            A/AAAA records, and extra (newly defined) "E/EEEE" records
>            indicate which ones are edge addresses.  The DNS proxy
>            forwards only the A/AAAA records that include edge
>            addresses to the resolver.  This is compatible with DNSSEC
>            because forwarded records are unchanged.

This will actually break the DNSSEC. If I'm correct, signatures are
generated over the whole RRset, and if you only forward a part of the
RRset, the validation will fail.

In other words, this has the same problem as proposal 1b: The proxy can
validate the DNS, but the resolver must trust the proxy.

Matthijs Mekking
matthijs@nlnetlabs.nl
Foundation NLnet Labs


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH6NAmIXqNzxRs6egRAsO2AJ4ytsafs0dzXbl0aTox5Sc45bAMIACcCGYu
LpmO0Ypw7JEJcKRrEgTSMBA=
=q/3h
-----END PGP SIGNATURE-----

--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg