[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: on NAT-PT
itojun@iijlab.net wrote:
you have been ignoring my comment (i made this comment months ago)
to use "AD is secure" for the response from DNS-ALG.
Let met get back to this now.
The fundamental issue is that nodes do not know
about the potential presence of a DNS ALG,
so they can not decide if it is OK to do recursive
queries themselves or if they have to use "AD is secure"
and send DNS queries to a trusted recursive resolver.
i guess you are talking about something different.
if the site administration policy is to use a recursive resolver
and "AD is secure", this does not matter whether the recursive
resolver is DNS-ALG or not. the whole point of "AD is secure" is to
offload the implementation complexity of DNSSEC from the end clients
and put it into recursive resolver.
itojun
I think yes, were are talking about something different.
Yes, using 'AD is secure' works and solve the particular
problem I'm describing.
What I'm saying is that imposing to use 'AD is secure'
to operate DNSsec in IPv6 networks is a big step
that I'm not sure I'm ready to make.
- Alain.