>I assume this "forwarder" (a term which might be in common use but not
>well-defined, hence my stated assumption) merely receives DNS queries
>on one address and sends the identical queries to another address,
>and likewise for responses. Presumably such a box needs to track
>the pending queries in order to be able to return the responses to
>the correct address.
>
>If such a box doesn't do anything more than the above, this has implications
>on the trust model for DNSSEC. For instance, it might make some sense
>to have hosts trust a local DNS resolver to verify DNSSEC signatures,
>use a secure channel between the host and the resolver, and look
>at the DNS "AD" bit to determine that trusted resolver accepted
>the signatures on the data (see draft-ietf-dnsext-ad-is-secure).
>
>However, such a host might not trust the resolver external to the site.
>And the use of a "forwarder" here seems to imply that the host thinks
>it is talking to a resolver inside the site, when in fact it is using
>a resolver outside the site. This trust issue is not discussed in
>the draft and it clearly requires more thinking.
>Perhaps a result will be that any host using this DNS discovery mechanism
>MUST perform full verification of DNSSEC signatures and not rely
>on the recursive resolver to do the signature verification.
i guess it a bit off-topic, i think it is more like AD-bit issue.
as long as secure channel is maintained between host and resolver,
it does not make difference, no? do you think host would configure
secure channel to untrustworthy resolver?
itojun
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
