[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: on NAT-PT

To: itojun@iijlab.net
Subject: Re: on NAT-PT
From: Alain Durand <Alain.Durand@sun.com>
Date: Fri, 03 Jan 2003 17:51:36 -0800
Cc: v6ops@ops.ietf.org
References: <20030104011808.2E0634B22@coconut.itojun.org>
User-agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.0.1) Gecko/20020920Netscape/7.0


itojun@iijlab.net wrote:

you have been ignoring my comment (i made this comment months ago)
to use "AD is secure" for the response from DNS-ALG.

Let met get back to this now.

The fundamental issue is that nodes do not know
about the potential presence of a DNS ALG,
so they can not decide if it is OK to do recursive
queries themselves or if they have to use "AD is secure"
and send DNS queries to a trusted recursive resolver.

i guess you are talking about something different.

if the site administration policy is to use a recursive resolver
and "AD is secure", this does not matter whether the recursive
resolver is DNS-ALG or not. the whole point of "AD is secure" is to
offload the implementation complexity of DNSSEC from the end clients
and put it into recursive resolver.

itojun

I think yes, were are talking about something different.
Yes, using 'AD is secure' works and solve the particular
problem I'm describing.

What I'm saying is that imposing to use 'AD is secure'
to operate DNSsec in IPv6 networks is a big step
that I'm not sure I'm ready to make.

   - Alain.

Follow-Ups:
- Re: on NAT-PT
  - From: itojun@iijlab.net

References:
- Re: on NAT-PT
  - From: itojun@iijlab.net

Prev by Date: Re: on NAT-PT
Next by Date: Re: on NAT-PT
Previous by thread: Re: on NAT-PT
Next by thread: Re: on NAT-PT
Index(es):
- Date
- Thread