> ...which brings me to think if it isn't so that Secure DNS (at
> least as currently specified) and widespread deployment of NAT
> boxes which fiddle with the contents of DNS reply/request packets
> isn't exactly a properly working combination. As I understand it
> you can have NAT or Secure DNS with e.g. signed A records but you
> can't (easily?) have both.
This is a misdirected concern. DNS clients inside a NAT cloud are
already proscribed from seeing DNS data from other NAT clouds or from
the Internet itself. The NAT technology has to strip off DNSSEC stuff
when it imports data but it tends to strip off DNS delegation and
authority data as well, and tends to alter the address and mail exchange
records. NAT borders are already DNS endpoints, with or without DNSSEC.
Whether and how to regenerate external DNS inside a NAT cloud is a matter
of NAT implementation, but the fact that it's _regenerated_, not forwarded
or recursed, is a design constant.
(While I have replied to Paul, this raving is for everyones
general amusment. - bill)
I think this is correct. However, this line of thinking
when seen in the light of end2end IPSEC seems to indicate that
NAT/Firewall technologies mandate a regenerated security
"envelope" at the NAT/Firwall edge. This tends to be what
corporations/governments want, while others tend toward
the endpoints being indivdually oriented. I, for one, (and
I expect I'm in the minority here) don't want to hand my keys
over to BBSS, Sprint, GTE, WCOM, the FBI, the Governement of
France... so they can decrypt the packets that I am sending
So, while I agree that NAT/Firewall techniques are an approch
to dealing with heirarchy/scaling issues, I think that MJR
was right. NAT/Firewalls are bandaids to be used until we have
reasonable endsystem/endsystem IP security.
If you really buy off on the catanet arguement, then there is
no need to reuse IP. FIDOnet, TCP on PPPover(mediaofchoice),
DECnet adnausa are available and you win with application transparency.
Jumping through all those hoops to make NATs work "seamlessly"
is a glittering bauble. Lots of interesting knots to go untangle
as folks rework and undo one of the basic assumptions behind IP
which is a single, common addressing space. And its really an
admission of failure.
Too many people saying, "Its too hard to make true end2end work,
(even across the existant IP (thats IPv4 for you Sean) space) so
we must carve it up into tiny bits that each party can claim as
their very own."
Buying into NATs dooms people to live in thier private hells.