[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-ipsec
Subject: Re: [Users] Opportunism query
From: Henry Spencer <henry () spsystems ! net>
Date: 2001-05-30 18:19:26
[Download RAW message or body]
On Wed, 30 May 2001, Sandy Harris wrote:
> client (usually) does a DNS lookup to get remote IP address
> client constructs and sends a packet with that address
> gateway intercepts packet and notes that no tunnel exists for
> that address
> gateway does DNS lookup to attempt opportunistic encryption
> Assuming we control the DNS server which these lookups first contact, is
> there a way to configure it so that the first lookup, done by the client,
> causes the data the second lookup will need to be cached?
Unfortunately, no. There are two reasons for that.
First, the data the client needs is not the data the gateway needs, and
DNS queries normally are fairly narrow and specific.
Second, there is no way to ask the name server "what data do you have for
the name whose lookup yielded this address?". That's what the DNS
"inverse query" feature was more or less supposed to do, in fact, and at
one point our spec said that Pluto should try an inverse query... but
nobody has ever implemented inverse queries, and the feature is now
considered obsolescent. (Reverse lookups are not at all the same thing.)
Smarts in the name server would certainly be useful, but I'm afraid they
would have to be custom smarts, and it's a bit early to be asking the
server implementors for that.
Henry Spencer
henry@spsystems.net
_______________________________________________
Users mailing list
Users@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic