IETF Logo Mail Archive

Re: [Add] Fwd: New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt

Ben Schwartz <bemasc@google.com> Thu, 11 March 2021 19:02 UTC

Return-Path: <bemasc@google.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DC6B3A0DA1 for <add@ietfa.amsl.com>; Thu, 11 Mar 2021 11:02:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J_ZeRFEfbZve for <add@ietfa.amsl.com>; Thu, 11 Mar 2021 11:02:20 -0800 (PST)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4D7D3A0D9D for <add@ietf.org>; Thu, 11 Mar 2021 11:02:19 -0800 (PST)
Received: by mail-wr1-x42d.google.com with SMTP id u16so3207445wrt.1 for <add@ietf.org>; Thu, 11 Mar 2021 11:02:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9OygIR21luzLZK6gXOcZeDOgzbK82ns7I7nSZppXdzA=; b=iVv1Gzccl5sPlXqhAEQTdDUtYgfwbgkxR1r66MLWs/NS+IAPN70wrZyRw3w3BLF8Cm H3WrIKSS8hiZeLBqAxkjfQD2nS8puVDWkA/KVwhAaZqiL8yT3b+7+iSM9WIvyV+gE6e3 8Nfu3IkpnXvsPoBMJe6+A8g/bQJD11EesV4F2j7GSNZZDm7fL/IrUzahhCBvnrQ3+tRX QwjUfiP5KP54c+kJNhWlhyj39uET9zPeLmAhtRJ8ueLdGcZktVxhKOp22j6gRJ1fpgDX nVowOH+P9BdVkFT60W696iyqUVQTC6S4YYuLYGDq2KRro28/F0KSBmmKZ9ixjx02RenA 6Y4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9OygIR21luzLZK6gXOcZeDOgzbK82ns7I7nSZppXdzA=; b=twKBoGtfRljcMKX/9lrc5LRSrZpd5vdN+/i6O1zlaEOcRkwgYUeM7i3NG2oRlJ7jKw ocQ6p7arj+YVpz297uWbGR1Ajb1ytygZP1egmgUB/88OCEds0FC9G32nJMVuI1DgM96D Yxz59ntBCZwi7MfprIOj0+oJg89jz7A1bGnCYTPjsJ56+eSs8fGpUvUBzFnXX+6peOec WS1qZ95fcQC+c1p4xReAuMRoZZ9HNEImV/10gmOo4RqNMJNr+adMHjYrIuCFQX58cG+Y AIf+WOvtaltWeWzCnMGKvWb5cuyiq66aXDFHwrpn8eXxnj58CZby/i/z11kX20sZgWiW NNdg==
X-Gm-Message-State: AOAM533zEUWHUd+soOu5ScKjazQnpDL3OpzGwQUyX/W1nw/rQzDv2iGw vcksaEM35JMiULLgqF9Y+N3hSpA8fg8mfiwU+QJzow==
X-Google-Smtp-Source: ABdhPJwnUfb+WbdZsmd6L5TgYW9sq5NLAg5RhuDTlS127zpytaVUjpx7TpHkf5sBpz+inrCPN2kVfKCh1+tOVO/ZZ+Q=
X-Received: by 2002:adf:e412:: with SMTP id g18mr10496846wrm.159.1615489336391; Thu, 11 Mar 2021 11:02:16 -0800 (PST)
MIME-Version: 1.0
References: <161544385340.18570.13061001177806683345@ietfa.amsl.com> <CAFpG3geAq9oTEJp+uFQ_vHdATgT9Faza-tJURciO=RheLgLDug@mail.gmail.com>
In-Reply-To: <CAFpG3geAq9oTEJp+uFQ_vHdATgT9Faza-tJURciO=RheLgLDug@mail.gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Thu, 11 Mar 2021 14:02:04 -0500
Message-ID: <CAHbrMsCK5BUNzF+8nd722R-BR612mM+3oA6x9RzoT_osHWWRzg@mail.gmail.com>
To: tirumal reddy <kondtir@gmail.com>
Cc: ADD Mailing list <add@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000000d513905bd476cfc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/2eGMSU4zKO-DLffNDmuDzFS6_DY>
Subject: Re: [Add] Fwd: New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Mar 2021 19:02:22 -0000

Thanks for the updates.  Some comments

Section 6:

>    If an Enterprise network restricts all the DNS queries to be sent to
>    the network-provided DNS server, SplitDNSAllowed will be set to
>    false.


This is clearly a policy prescription, and is out of scope.  I think this
key should be removed from the draft.

> [RFC7149] recommends validation of responses using NSEC3.

Nit: RFC 7129.

Broader note: I think it would be better to drop the "private-only" flag,
as well as the NSEC test and top-domains list.  While this arrangement of
claiming domain names that are known not to exist globally is possibly
allowed by RFC 2826, I don't think it's a good practice.  For example,
there is no such domain as "login.citibank.com", but I think it would be
bad security practice (and also a bad architecture) to allow networks to
claim that name.

Note that private-only names are still supported.  If the local resolver is
authoritative for corp.example.com, it can serve queries for
login.corp.example.com, even if login.corp.example.com is NXDOMAIN when
queried externally.

On Thu, Mar 11, 2021 at 1:26 AM tirumal reddy <kondtir@gmail.com> wrote:

> The revised draft
> https://datatracker.ietf.org/doc/html/draft-reddy-add-enterprise-split-dns-01
> addresses
> comments from Ben. Further comments and suggestions are welcome.
>
> Cheers,
> -Tiru
>
> ---------- Forwarded message ---------
> From: <internet-drafts@ietf.org>
> Date: Thu, 11 Mar 2021 at 11:54
> Subject: New Version Notification for
> draft-reddy-add-enterprise-split-dns-01.txt
> To: Tirumaleswar Reddy.K <kondtir@gmail.com>, Dan Wing <danwing@gmail.com>
>
>
>
> A new version of I-D, draft-reddy-add-enterprise-split-dns-01.txt
> has been successfully submitted by Tirumaleswar Reddy and posted to the
> IETF repository.
>
> Name:           draft-reddy-add-enterprise-split-dns
> Revision:       01
> Title:          Split-Horizon DNS Configuration in Enterprise Networks
> Document date:  2021-03-10
> Group:          Individual Submission
> Pages:          12
> URL:
> https://www.ietf.org/archive/id/draft-reddy-add-enterprise-split-dns-01.txt
> Status:
> https://datatracker.ietf.org/doc/draft-reddy-add-enterprise-split-dns/
> Htmlized:
> https://datatracker.ietf.org/doc/html/draft-reddy-add-enterprise-split-dns
> Htmlized:
> https://tools.ietf.org/html/draft-reddy-add-enterprise-split-dns-01
> Diff:
> https://www.ietf.org/rfcdiff?url2=draft-reddy-add-enterprise-split-dns-01
>
> Abstract:
>    When split-horizon DNS is deployed by an enterprise, certain
>    enterprise domains are only resolvable by querying the network-
>    provided DNS server.  DNS clients which use DNS servers not provided
>    by the network need to route those DNS domain queries to the network-
>    provided DNS server.  This document informs DNS clients of split-
>    horizon DNS, their DNS domains, and is compatible with encrypted DNS.
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>

v2.23.0 | Report a Bug | By Email