> > Host to host IPsec is very rare.
But that's what we are trying to change :) > > But regardless, let’s assume that the local address is 198.51.100.2. So the > quintuple for the connection would be (UDP, 198.51.100.2:704, 192.0.2.5:53) > I don't think you want a tunnel per netflow, and still the application has no way of knowing or verifying the entity of the destination encryption. > Unless we use route-based VPN, and then we’re as secure as the routing > protocol. Doing authnull yes, but the point of using DNSSEC is to get a firm proven grip on the remote identity. Paul _______________________________________________ dane mailing list dane@ietf.org https://www.ietf.org/mailman/listinfo/dane