Re: [Add] some background on split DNS with DNSSEC

Bill Woodcock <woody@pch.net> Tue, 09 November 2021 15:23 UTC

Return-Path: <woody@pch.net>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48BDE3A00B2 for <add@ietfa.amsl.com>; Tue, 9 Nov 2021 07:23:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fDHz2qMNov_G for <add@ietfa.amsl.com>; Tue, 9 Nov 2021 07:23:32 -0800 (PST)
Received: from mail.pch.net (keriomail.pch.net [206.220.231.84]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D637A3A0062 for <add@ietf.org>; Tue, 9 Nov 2021 07:23:32 -0800 (PST)
X-Footer: cGNoLm5ldA==
Received: from smtpclient.apple ([2620:171:202:6be4:391d:22b9:94ac:3eb2]) by mail.pch.net (Kerio Connect 9.2.7 patch 3) with ESMTPS (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits)); Tue, 9 Nov 2021 07:23:31 -0800
From: Bill Woodcock <woody@pch.net>
Message-Id: <418D9CE4-6134-447A-A863-F028C325E4FF@pch.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_0C19296E-C45F-4032-A760-1628490A950E"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Tue, 09 Nov 2021 16:23:28 +0100
In-Reply-To: <b0527e86-9636-1d80-c2cf-526c6b050b90@lear.ch>
Cc: Ted Lemon <mellon@fugue.com>, add@ietf.org
To: Eliot Lear <lear@lear.ch>
References: <yblk0hio8pu.fsf@w7.hardakers.net> <28611.1636465525@localhost> <3692CFBF-4D06-4960-9F7C-347A58D2D0A0@apple.com> <aea95242-4e80-e4cb-b5bb-da34105e7ed1@lear.ch> <CAPt1N1kGs851Q_BMq1NDzm80xHbrKLJWwt1JzAmZAtafXeoqPg@mail.gmail.com> <BF4069C2-225D-4BA6-97FC-5CB6B09DA657@pch.net> <b0527e86-9636-1d80-c2cf-526c6b050b90@lear.ch>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/77nkxdqUtvvSVSB4TDsY6nPK3TY>
Subject: Re: [Add] some background on split DNS with DNSSEC
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2021 15:23:37 -0000


> On Nov 9, 2021, at 4:20 PM, Eliot Lear <lear@lear.ch> wrote:
> 
> 
> On 09.11.21 16:18, Bill Woodcock wrote:
>> 
>> Can you elaborate?
>> 
>> If people are already maintaining two “views” of a namespace, and signing both with the same keys, how would it get easier?  I mean, short of not maintaining two views?
> 
> More often than not, they're not operating DNSSEC at all because of the complexity of the above.

I don’t see how the two are connected, though…

If you’re operating a split view, there’s a degree of complexity involved in managing the separation after the split (or, more likely, you just have two different sources of authority, but it comes to the same thing).  If you’re DNSSEC signing, you’ve got a process for that, and you’re running zones through it.  Both are complex processes, but neither makes the other more complex than it would have been otherwise, that I can see...

                                -Bill