From: (no name) (no email)
Date: Sat Nov 01 1997 - 15:11:53 EST
> > Security based on IP address.
> Here I disagree, not only for the obvious reason that
> forgery is easy, but also because basing anything on IP
> address that does not involve looking back up through the
> DNS (which is also not yet safe) is incompatible with NAT.
...which brings me to think if it isn't so that Secure DNS (at
least as currently specified) and widespread deployment of NAT
boxes which fiddle with the contents of DNS reply/request packets
isn't exactly a properly working combination. As I understand it
you can have NAT or Secure DNS with e.g. signed A records but you
can't (easily?) have both.
(Which brings us even further afield from the original subject... ;-)