Re: Evaluation: draft-ietf-dnsext-ad-is-secure

["Jeffrey I. Schiller" <jis@mit.edu>]

Well, I would prefer that if the spec is about accessing DNS Securely, 
that it in fact manages to do that. We don't need this spec to access 
DNS insecurely.

			-Jeff

Randy Bush wrote:
> > > > "A server MUST not set the AD bit unless it knows that a secure 
> > > > transport is in use between it and the requesting client."
> > > and the way the dns application tells that ipsec is established
> > > between it and the client is ...?
> > Yep, this is a problem. There needs to be an API that applications can 
> > call to determine if ipsec is present and what level of protection is 
> > engaged. Sorry, this stuff isn't easy.
>
> as i said, the current spec is the best we could do given the constraints.
> we don't love it, but that's the current reality.
>
> randy