[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Evaluation: draft-ietf-dnsext-ad-is-secure
>>>"A server MUST not set the AD bit unless it knows that a secure
>>>transport is in use between it and the requesting client."
>> and the way the dns application tells that ipsec is established
>> between it and the client is ...?
> Yep, this is a problem. There needs to be an API that applications can
> call to determine if ipsec is present and what level of protection is
> engaged. Sorry, this stuff isn't easy.
as i said, the current spec is the best we could do given the constraints.
we don't love it, but that's the current reality.
randy