[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: on NAT-PT



>>you have been ignoring my comment (i made this comment months ago)
>>to use "AD is secure" for the response from DNS-ALG.
>>
>Let met get back to this now.
>
>The fundamental issue is that nodes do not know
>about the potential presence of a DNS ALG,
>so they can not decide if it is OK to do recursive
>queries themselves or if they have to use "AD is secure"
>and send DNS queries to a trusted recursive resolver.

	i guess you are talking about something different.

	if the site administration policy is to use a recursive resolver
	and "AD is secure", this does not matter whether the recursive
	resolver is DNS-ALG or not.  the whole point of "AD is secure" is to
	offload the implementation complexity of DNSSEC from the end clients
	and put it into recursive resolver.

itojun