[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: on NAT-PT
>>you have been ignoring my comment (i made this comment months ago)
>>to use "AD is secure" for the response from DNS-ALG.
>>
>Let met get back to this now.
>
>The fundamental issue is that nodes do not know
>about the potential presence of a DNS ALG,
>so they can not decide if it is OK to do recursive
>queries themselves or if they have to use "AD is secure"
>and send DNS queries to a trusted recursive resolver.
i guess you are talking about something different.
if the site administration policy is to use a recursive resolver
and "AD is secure", this does not matter whether the recursive
resolver is DNS-ALG or not. the whole point of "AD is secure" is to
offload the implementation complexity of DNSSEC from the end clients
and put it into recursive resolver.
itojun