[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RRG] Mitigating the Downsides of NAT'ing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Christian Vogt wrote:
> (1a) Both edge and transit addresses are returned in standard
> A/AAAA records, and extra (newly defined) "E/EEEE" records
> indicate which ones are edge addresses. The DNS proxy
> forwards only the A/AAAA records that include edge
> addresses to the resolver. This is compatible with DNSSEC
> because forwarded records are unchanged.
This will actually break the DNSSEC. If I'm correct, signatures are
generated over the whole RRset, and if you only forward a part of the
RRset, the validation will fail.
In other words, this has the same problem as proposal 1b: The proxy can
validate the DNS, but the resolver must trust the proxy.
Matthijs Mekking
matthijs@nlnetlabs.nl
Foundation NLnet Labs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFH6NAmIXqNzxRs6egRAsO2AJ4ytsafs0dzXbl0aTox5Sc45bAMIACcCGYu
LpmO0Ypw7JEJcKRrEgTSMBA=
=q/3h
-----END PGP SIGNATURE-----
--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg