[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RRG] Mitigating the Downsides of NAT'ing



Matthijs,

On Mar 25, 2008, at 3:12 AM, Matthijs Mekking wrote:
    (1a)  Both edge and transit addresses are returned in standard
          A/AAAA records, and extra (newly defined) "E/EEEE" records
          indicate which ones are edge addresses.  The DNS proxy
          forwards only the A/AAAA records that include edge
          addresses to the resolver.  This is compatible with DNSSEC
          because forwarded records are unchanged.

This will actually break the DNSSEC. If I'm correct, signatures are
generated over the whole RRset, and if you only forward a part of the
RRset, the validation will fail.

An RRset is defined (in RFC 2181) to be all records of the same label, class, and type. The E/EEEE records would be of a different type and thus would be outside of the A/AAAA RRset over which the signature would be generated. Of course there would be no verifiable binding between the two (not sure that matters).

Regards,
-drc


--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg