Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns and split horizon DNS
Joe Abley <jabley@hopcount.ca> Wed, 08 December 2021 13:46 UTC
Return-Path: <jabley@hopcount.ca>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09F993A085D for <add@ietfa.amsl.com>; Wed, 8 Dec 2021 05:46:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ogGv_VlKgYe for <add@ietfa.amsl.com>; Wed, 8 Dec 2021 05:46:24 -0800 (PST)
Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com [IPv6:2607:f8b0:4864:20::52f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61E3F3A08BD for <add@ietf.org>; Wed, 8 Dec 2021 05:46:21 -0800 (PST)
Received: by mail-pg1-x52f.google.com with SMTP id 137so2115926pgg.3 for <add@ietf.org>; Wed, 08 Dec 2021 05:46:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=SQdDnk1FfUFUXrnMR5V/5fYh2LypJ38zVhqT9WnbK/g=; b=QnyX8tdXEcNe46SO2agNk4Edvrvfm3WnzQqUgXNt9UAKmczmKBrD97mpeXxIGLyu/n Db9QqujfjoRw9u54fRUmN1hlXRWdgs6uICQS8vKFhvA8PqVlk9RTLf0dz2pamv+cm2y7 3PWAFpWLKcIBSjjINDpe9COLvlWKeouhSrLNM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=SQdDnk1FfUFUXrnMR5V/5fYh2LypJ38zVhqT9WnbK/g=; b=6ybhpwd9oJSTQr9MRmrAlIb2Q/cWcp8GIhbNfqOkB3tLkuohQ1zYvg+N1KatTYQ0eB R+ic9lX1gSLjNWkLWT3vrpLLgKVAXkN7gw+phvQoOXBSgFLSLSrUvjrU/EuB0f5Q3Uq7 Enq/k98iJSgxDEC8zlw5UwxzCAZ+1kJ7VhN/RXJ0vk+WfcRv9/+iRMusxbWqsS1mGW/e zekA47s4EVJbbRs3Y5T3uzlghZ8vBwwAVnBz0fs8gg9z8HdLN3Ii9vBwZYL+aGaTsvYn 1w9nXZE6uR5ubthvuXwG8iiNfPSP6gChPgEFJqg7YGnGmnVrzqJVvMNPKkk8euRhbbOq ZA/A==
X-Gm-Message-State: AOAM533a1VH41wxE6sJEQq5pl2ZnpQSpnmjBXJSF6+oB8dc4LOm48N8Z kn/fqDd+EiulQHB8GQikKYB6+g==
X-Google-Smtp-Source: ABdhPJwJup2N9ps8zIU5mVbkaMroF85olZ/qiIqlpxi2/zQtRwNmA2tEdge5dGJEceeUgyGvoCczPw==
X-Received: by 2002:a65:5b8c:: with SMTP id i12mr16630517pgr.144.1638971177978; Wed, 08 Dec 2021 05:46:17 -0800 (PST)
Received: from smtpclient.apple ([172.58.27.2]) by smtp.gmail.com with ESMTPSA id on6sm8025245pjb.47.2021.12.08.05.46.16 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 08 Dec 2021 05:46:17 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
From: Joe Abley <jabley@hopcount.ca>
Mime-Version: 1.0 (1.0)
Date: Wed, 08 Dec 2021 08:46:15 -0500
Message-Id: <E03627E3-6BF3-424A-811D-063FED5AEDC5@hopcount.ca>
References: <11411.1638970287@localhost>
Cc: Dan Wing <danwing@gmail.com>, "Deen, Glenn (NBCUniversal)" <Glenn.Deen@nbcuni.com>, ADD Mailing list <add@ietf.org>
In-Reply-To: <11411.1638970287@localhost>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: iPhone Mail (19B81)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/0S6EGfO3birmS2WLkAeFTrfeSKE>
Subject: Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns and split horizon DNS
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2021 13:46:35 -0000
On Dec 8, 2021, at 08:31, Michael Richardson <mcr+ietf@sandelman.ca> wrote: > That's why it would be nice if the draft explained this and gave it a name. You're saying "this" like it's one thing that is unambiguously achieved in a single way. It's not. > Yes, "corp.example.com" has an NS record in example.com which points to an IP > address/DNS-server that does not answer queries if you aren't within the > domain. Making a public lame delegation to a private set of servers is one way to do this. Hosting an internal zone on servers that sit in the resolver graph for the desired set of clients is another. Forking the example.com zone into multiple namespaces served by different servers is another. There is more than one mechanism by which those servers receive particular queries. > I have seen it in use at multiple places over multiple decades. > It works far better than having two authorities for the same name, > particularly for entities that have multiple points of presence with VPNs > connecting them. "Authorities," "name" and "points of presence" are all ambiguous here. I point these things out just to illustrate that there are many ways to peel the covering fabric from these multiple rhetorical animals. Clear communication around these issues really needs some work towards a usefully-complete taxonomy. Without a clear description of the deployment scenarios to be covered it's really premature to claim any particular solution is complete. As a rule, the DNS in practice is messier than DNS in theory, and DNS in theory is already pretty messy. > {IPv6 makes this trivial, but it can also be done with less elegance using > RFC1918, if the enterprise has no public IPv4 and can't hire any. } The address family used to reach particular nameservers implicated in the above seems like the most superficial of details to me. Joe
- [Add] add-enterprise-split-dns and split horizon … Michael Richardson
- Re: [Add] add-enterprise-split-dns and split hori… Eric Rescorla
- Re: [Add] add-enterprise-split-dns and split hori… Geoff Huston
- Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns… Deen, Glenn (NBCUniversal)
- Re: [Add] add-enterprise-split-dns and split hori… Dan Wing
- Re: [Add] add-enterprise-split-dns and split hori… Paul Wouters
- Re: [Add] add-enterprise-split-dns and split hori… Vinny Parla (vparla)
- Re: [Add] add-enterprise-split-dns and split hori… Michael Richardson
- Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns… Michael Richardson
- Re: [Add] add-enterprise-split-dns and split hori… Michael Richardson
- Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns… Dan Wing
- Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns… Michael Richardson
- Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns… Joe Abley
- Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns… Michael Richardson
- Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns… Paul Wouters