IETF Logo Mail Archive

Re: [Add] ADD WGLC for Establishing Local DNS Authority in Split-Horizon Environments draft-ietf-add-split-horizon-authority-03

Dan Wing <danwing@gmail.com> Fri, 03 February 2023 02:22 UTC

Return-Path: <danwing@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6FE2C1522DA; Thu, 2 Feb 2023 18:22:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BzjaOGD0Wf0H; Thu, 2 Feb 2023 18:22:09 -0800 (PST)
Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED09EC1522C6; Thu, 2 Feb 2023 18:22:08 -0800 (PST)
Received: by mail-pj1-x1031.google.com with SMTP id bx22so792261pjb.3; Thu, 02 Feb 2023 18:22:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=gGy0F5riCiaYpwrRA7X0xnf+HOJoi0JjuRTW9WtHAXE=; b=j4U+qvypbITYHcEdu1CLNE1jhckTcuXQIlqgMMI83PPVfB7EUMsGtkY0qQi2iUJOM3 K5lAkCwK/eQ5ggBrZYicR9GKscUq28wckENkHOSiJNP0Y6fym4hKALrn3xLDIaV0rrm7 SlyFKkk1u5GOMI0jCs4p8HBWhMjHrEO1hIlGIUU8SW2/9RR1NDNSTNd+wIik+0yJEpZ6 mIWYaldBj31JIrnZ0eTrNcm+f7vtrJuF1YLyHRkJkoqLYrjL1ubqqaH8ROwlYP+zsFgi Nb3wF/XX1+jf1cKp5VnjJceKAb8wgYcTicz/8sgc8lKhtCD7bK01hywKyMciYWZcTpsn c3HQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=gGy0F5riCiaYpwrRA7X0xnf+HOJoi0JjuRTW9WtHAXE=; b=tGkSUVEUjkNvvkOaMPSWKh2wk/FHQee5vqzEJ1uFjE1idd+lw4jmquoAqhxltauJOJ 4yxSphjEICqs7Qz1QDbzHnxcAoyu3f4fzga3AXalOb2zKMa6Ibne9nXaQgXJUMzVLmCg uIScJTZB/UmnZ4geUWrmsmavA4tF1hPnIY7AyUQKP3LgYyUbu9pGFnqRnh7VK14Q0wsj rlt7T0dcAhL98vJ8gmwxOKNvGk3fLogGrvrTJOpTZDoInfvltxYzrpx9Sy+R+MesY7Sx 42I9PRzocpL7Nhujrj825GZkt1dgViGv7YzhrkJD6cNuFf1/phFbkB4RXHDPjVznmMCi lbzA==
X-Gm-Message-State: AO0yUKUeJSvkMaATqPc7rZCnz6vUmJrVtPmiQfLTdCrES5x8L9QmYqO8 BIOSxRSqbPbrlbqiZPQTjtQ=
X-Google-Smtp-Source: AK7set9l8+CvH55euYVqGxAFomg+qHDjJbOq+EvQ6JAuzJys5cUBXH/dO20qC6YAwt/Uvl7XoE1fGw==
X-Received: by 2002:a17:90a:9005:b0:229:e1e8:4f4b with SMTP id i5-20020a17090a900500b00229e1e84f4bmr8406434pjo.47.1675390928163; Thu, 02 Feb 2023 18:22:08 -0800 (PST)
Received: from smtpclient.apple ([47.208.218.46]) by smtp.gmail.com with ESMTPSA id a17-20020a17090a481100b00218a7808ec9sm349766pjh.8.2023.02.02.18.22.06 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 02 Feb 2023 18:22:07 -0800 (PST)
From: Dan Wing <danwing@gmail.com>
Message-Id: <DECC12BA-9A5D-458B-87B5-9AFA9B40F134@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E74F70E1-F3A2-4572-B07C-44EDD49485ED"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
Date: Thu, 02 Feb 2023 18:21:55 -0800
In-Reply-To: <CAFpG3gcYjN1XnAxZN9_xqr_CrXcy5939bSnnhBB=qUFo=0fCEw@mail.gmail.com>
Cc: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, Paul Wouters <paul@nohats.ca>, "Deen, Glenn" <Glenn_Deen=40comcast.com@dmarc.ietf.org>, ADD Mailing list <add@ietf.org>, ADD Chairs <add-chairs@ietf.org>
To: Tirumaleswar Reddy <kondtir@gmail.com>
References: <LV2PR11MB60457F204E4CD1EDA21F811CEAFC9@LV2PR11MB6045.namprd11.prod.outlook.com> <fd07d6e2-aa92-6686-716b-856035bd0f63@nohats.ca> <B7536ACA-C32E-402E-B059-D6B085DC5754@apple.com> <CAFpG3gcYjN1XnAxZN9_xqr_CrXcy5939bSnnhBB=qUFo=0fCEw@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.400.51.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/3fiqv_9JHwFxAUnElHRSxB7rTfM>
Subject: Re: [Add] ADD WGLC for Establishing Local DNS Authority in Split-Horizon Environments draft-ietf-add-split-horizon-authority-03
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Feb 2023 02:22:10 -0000

Same with my current employer's roadmap. The draft improves security for some of our VPN use-cases.  Fortunately for IT staff once DDR/DNR are available the rest of the requirements for them to enable draft are not onerous or scary.

-d


> On Feb 2, 2023, at 5:02 AM, tirumal reddy <kondtir@gmail.com> wrote:
> 
> It is in our roadmap (at my previous firm) to support this specification but we first need deployment of DDR/DNR. The mechanisms discussed in the draft are to give flexibility to the DNS client to pick one of them that is suitable to it. However, the network has just one way to prove authority over the domains.
> 
> -Tiru
> 
> On Thu, 12 Jan 2023 at 04:12, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org <mailto:40apple.com@dmarc.ietf.org>> wrote:
>> As the high-level bit, I’d like to understand what networks that use and rely on split DNS are going to deploy this, and which parts of the document are being deployed. I’d like to see some presentation and discussion of running code on both network and client sides.
>> 
>> The document describes many mechanisms, and I think we should have some experience with some or all of them before we try to publish the document, and use implementation and early deployment experience to influence the document and where it focuses.
>> 
>> To Paul’s points about realistic split DNS deployments, trying to use the mechanisms in this document in practice should help validate what is actually practical and effective in real networks.
>> 
>> I’d like to see more done in this regard before we progress the document beyond the WG.
>> 
>> Tommy
>> 
>> > On Jan 11, 2023, at 12:07 PM, Paul Wouters <paul@nohats.ca <mailto:paul@nohats.ca>> wrote:
>> > 
>> > On Wed, 11 Jan 2023, Deen, Glenn wrote:
>> > 
>> >> The editors of the ADD Document: Establishing Local DNS Authority in Split-Horizon Environments
>> >> draft-ietf-add-split-horizon-authority-03 believe the document is ready for working last call.  
>> >> This then is the formal WGLC for comments on this document.  This WGLC will run for 2 weeks until January 26th
>> >> 2023.
>> > 
>> > I still do not think this document is ready for the previously mentioned
>> > reasons:
>> > 
>> > - It redefines split-dns to a very specific case that is not the common case.
>> > - It requires split-dns to be centrally operated as the form of
>> >  authorization for "taking over" that domain. This does not work for the
>> >  common case of split-dns where the local branches run their own
>> >  independent DNS from the public global view. It calls this "Validated
>> >  Split-Horizon" and the solution only works for this subset of
>> >  split-dns.
>> > - split-dns where some domains only exist locally and not in the public
>> >  view requires that those local zones run on the same nameservers as
>> >  the public zone they fall under. This is not a common or realistic
>> >  kind of deployment.
>> > - The authorization for "Validated Split-Horizon" does not require DNSSEC,
>> >  so there is no authoritative proof. The draft introduces a term "tamperproof
>> >  resolution" that reduces DNSSEC's data protection with transport
>> >  security, meaning that any user configured world wide trusted resolver can
>> >  disable the split-dns configuration.
>> > 
>> > While I appreciate the Acknowledgement section that lists my
>> > name to thank me for the "discussion", I do feel that this can be
>> > misunderstood as me agreeing with the draft. I am requesting that
>> > the authors to remove my name from this section.
>> > 
>> > Thanks,
>> > 
>> > Paul
>> > 
>> > -- 
>> > Add mailing list
>> > Add@ietf.org <mailto:Add@ietf.org>
>> > https://www.ietf.org/mailman/listinfo/add
>> 
>> -- 
>> Add mailing list
>> Add@ietf.org <mailto:Add@ietf.org>
>> https://www.ietf.org/mailman/listinfo/add
> -- 
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add

v2.23.0 | Report a Bug | By Email