Re: Evaluation: draft-ietf-dnsext-ad-is-secure

[Randy Bush <randy@psg.com>]

>>>"A server MUST not set the AD bit unless it knows that a secure 
>>>transport is in use between it and the requesting client."
>> and the way the dns application tells that ipsec is established
>> between it and the client is ...?
> Yep, this is a problem. There needs to be an API that applications can 
> call to determine if ipsec is present and what level of protection is 
> engaged. Sorry, this stuff isn't easy.

as i said, the current spec is the best we could do given the constraints.
we don't love it, but that's the current reality.

randy