Re: [Add] some background on split DNS with DNSSEC

"Deen, Glenn" <Glenn_Deen@comcast.com> Tue, 09 November 2021 21:08 UTC

From: "Deen, Glenn" <Glenn_Deen@comcast.com>
To: "add@ietf org" <add@ietf.org>
Thread-Topic: [Add] some background on split DNS with DNSSEC
Thread-Index: AQHX1a3bx4mn7M+74EqzoswY1Q1Kcw==
Date: Tue, 09 Nov 2021 21:07:51 +0000
Message-ID: <DD51ECDC-9787-4DEB-A2AF-39C3CF2ABEE8@nbcuni.com>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/16.54.21101001
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: GgrsPoONCoVzDLDKTukpadiH49xRgzm+DimrzSiEYpMsdO/fC/cWpCJa/WmefCxHDmqSHYDHfT6da1HaOpdur+NgeqoVoT4uVFRYq2FfGSz3sO1GaRB8Sccxq7tCnGP5DRaPgJ9t9n+w92RZErTVpz9u4gAP9+rTpMOqB5xgbSZo+4qJ2nxn2aBFuVA7zGBHDW3qwoV4LttJsTWNK6goAgYGIH7u4Q4O1SjhJ/ZcV2PMWPXivEUdzvn3AxtjVpnDmPh6IfFggsxxCaWsnmOR3OV7Lowytv8zhCcnIXphUa7ARu8+gjy0n5TJ1sTXtMTMn/+n+8GYtgPDXK14HEzj9VB1Ver3Y8qC+kkIH4ORjsJ+X625SjIHdRr6Pw5wt26CSEJFAsOPmvELhbhORSi233ZBbes0Rc47KRSFRz30aDlfIASF6WmiS1swf9ewiWYDxfwj4IJ8H2ZutK/Le+t0us6XVf6MevWKyiYfExmm6l4GU2bTQ4f9Q6oaQfMtFKuGFH7n1IDNLnxTVWVrg4xOkedYDZUXcjqRrJ5979Ms35oPdTkVgWvi/DsQ7MXxwepRnY5aGnjxyOo9gzHD3vRFjC7af65r1/7Qu/Z6xfCkD1P1PernAqiqTDJqax6a/N8nPDnwrk5nup9Cc58oqEj9+8pMhFsFT3oMz15y5iMSeBEn1ZUmronoZBRkkd3KGFc0XolbxCNdfKnxZ+ynMY6VwxmVRGP5ivBskc8JRQvdKaf0v2hp6OTpzmbRbhmkyV9tHTw3XzdaNAm9mZXQrKrZjti1JNQ8CrRGgEHu5or9GwrpAKZSTOFl3Pmxxve4pjr3cyHxbdQnMLgSg0hAG7NoQZ01sqdiW6QVlT9LPdREJs0ptzhbupqSZeFyiFkkvsXtVJTe4bBfyCJYisfzSeKcBEmUI9VNJitJ0ZolEpcWyLk1COFXgL0bW2jbiMz7lP35WWUh7tlgN5QprTAOqLFKCRsuzko0fADtNHbMujovv0jkRbtZHs/bCeVxjex8v7C/Kr+b9q8LEPh22klxQCfr9h6Yoak3aX3IfybVKSyZzOBLc9Y23iQaBCeBpWuiqo9vtNHAFJfBky3wwYFN4bBLSJrUslD18bvLuYhhAHMl8uVW6/yOmAFnAb7aMq9G+1fIaI0oA5fwcykU2PEjqcXeRvG6mIByYVKhBd4auMBwxmQqLEWm47ZClOiz1PyfV7rY5NN3pZQAe1NCNMI1K/UD62hdAMdRSFp8qcdQQnb+M6f6608x0mzid0hJMgNBn2enbN/YDaMExljgha8oDqC5qvPmcJ/v01h+zRcAcupu+F/oW3ubH+sniAkXrhd3YUEcQiqPIyOYVbBMJwWg0MH0/lK+aa5ggIBrZ2TO8PQacpeDz4oT8k4RhrMP8x9cnslfynlgPb5LcwshcteJ2EMSZtb9NS6JWHpi/lHzosWV1KspYBkOgQDmlI6VrcBb/r2ztzrpEBV1M2FZp0t3gHqje8sdE4L/L/KHwtG5cqYkBz3EXbjNGk7qJaFrdPE761NkByQBOfGdqxd7oi6H2IsVAJ8TuKKSgEO2JGsjfAt/0+H8WAkPJJADR3vJRGLLjkhB7qnSuhCImW+kwUct9+lH5uRHeOKD+HI1Oo+a3/4L6onpVKOQ1phXAOPP9WhKDNME5D6v/Sm6iY+a3rkyEl6hMugzJAtIBoPsUJ9aNp/O6MjIaezcfEz4C4iMoS0LU9GJJ7OzIofGq9ABet79gkTGKJXISa5W6l7UYKgnQbtK1Zc=
arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KtjzVUsgQgCiFq5xJjbzjJW8pPcTsnWVBXCau42/OGmF/k+rPKyXBUVJfXITyqNPX1npcSzd+6Tv9uo8H5y//tUa0DKGb92IOCkT1kmfsDJZTleitr+wVk4Lu2ek0lBkqD4k0z94zT6APlv5adzBr0TzH6BN807DrpxPxPq+Bu5VxeEPJDUPd1q3lOw99rp/ibgJU6RQyq/pNVIDlOhyyt2C0POVB9SM7cgz1r38nCwXheIRvzjGTluzYiuO/pAtBzTN+HjkefWQ1OK8sEuf6IIIe4IeLrbbEGVn6Rq4QWjO7Gbim3QL1ltv9fNkWo2UmIJ+TfljcTvhgTRQyMAumQ==
arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=nP1AXociyWF34TlYpcReN1YDwEgOAeEaa0q72PSsDyI=; b=UFs8K3bP7bBb/Lwb1FtHD54GL+qBBpoKti1mLPBtXdBEWyTTnvhv5tzV0L/UdGpSBLlyhzBTS6lyLmJheTrLM9D2f7xagDSRcIKEHr+mMOn6mFmvpykiMfrXit2O9/Lidxo++FLcvKhNj3H3ZyFYkFJsSIrIilSkYUQH1eHsofhwkjkAABAqOgIe7JiwY3MF4HSqIXgokK7Lk7do8WCdw2u4vMg3iBC4WWDmh3OqBeprQFwXRfAHrNhppURymqDoenabXCCutKmOF5Z21ToNoSaeeyS4y/vdk8JUTViSGDil9/Fssq7o7Xf3gxx9ZHMrZjH11kzrbNCkNqVXwrIagw==
arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=comcast.com; dmarc=pass action=none header.from=comcast.com; dkim=pass header.d=comcast.com; arc=none
x-ms-exchange-crosstenant-authas: Internal
x-ms-exchange-crosstenant-authsource: BYAPR11MB3111.namprd11.prod.outlook.com
x-ms-exchange-crosstenant-network-message-id: e2766ae9-98af-457e-d86d-08d9a3c4fde8
x-ms-exchange-crosstenant-originalarrivaltime: 09 Nov 2021 21:07:51.7009 (UTC)
x-ms-exchange-crosstenant-fromentityheader: Hosted
x-ms-exchange-crosstenant-id: 906aefe9-76a7-4f65-b82d-5ec20775d5aa
x-ms-exchange-crosstenant-mailboxtype: HOSTED
x-ms-exchange-crosstenant-userprincipalname: uBQTTlUJZVCSUoFS8Sl04Wq06RkXxL4HZ9kV3JK9q100Mg4oRjvK2mY4VpLQY1jLUWcTIrUd4jYTIH53zxhatc/Z7QccP5zQi0QjQ3xareE=
x-ms-exchange-transport-crosstenantheadersstamped: SJ0PR11MB5867
x-originatororg: comcast.com
Content-Type: text/plain; charset="utf-8"
Content-ID: <449E4CEE778D8348BAED500C2F34DD18@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Forward AAETWT
X-Proofpoint-GUID: f2qJwcAGtrLWKXzB5r-OYNkxdQggt2oH
X-Proofpoint-ORIG-GUID: f2qJwcAGtrLWKXzB5r-OYNkxdQggt2oH
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.0.607.475 definitions=2021-11-09_06,2021-11-08_02,2020-04-07_01
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/AyDNVSEA2bfvQ0gWz9Y1-C_54VI>
Subject: Re: [Add] some background on split DNS with DNSSEC
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2021 21:08:09 -0000

Item #1:

Chair dusting off his fancy chair hat and saying, before this gets too off track  ....
     - gentle nudge to everyone to stay focused on the core ADD related issues here -

Item #2:

ADD may at times be willing to tackle some hard stuff such as how to discover encrypted DNS servers, but ADD is very much not chartered to take on something as impossible as trying to unravel several decades worth of various DNS and naming architecture choices that many of us would very much like to go back and have a second, hopefully wiser attempt at.

That is a topic that needs a stool, a beverage and the in-person ability to sigh, roll eyes, shake our heads mournfully and show the all wisdom we have gained by learning the consequences that come years later from decisions that may have made perfect sense at the time.

Item #3:

That said, what ADD is chartered to do is to look at how to do encrypted DNS resolver discovery in the environments that users do live in, and not just environments that we think they should be in, so with the background on DNSSEC that started this chain, and EKR's moment of actually putting a good word in for DNSSEC during the ADD session,  does the group see there being a role here for DNSSEC?

-glenn

[Add] some background on split DNS with DNSSEC Wes Hardaker
Re: [Add] some background on split DNS with DNSSEC Michael Richardson
Re: [Add] some background on split DNS with DNSSEC Ben Schwartz
Re: [Add] some background on split DNS with DNSSEC Joe Abley
Re: [Add] some background on split DNS with DNSSEC Tommy Pauly
Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
Re: [Add] some background on split DNS with DNSSEC Eliot Lear
Re: [Add] some background on split DNS with DNSSEC Ted Lemon
Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
Re: [Add] some background on split DNS with DNSSEC Eliot Lear
Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
[Add] Why so complex? (was Re: some background on… Martin Thomson
Re: [Add] some background on split DNS with DNSSEC Eliot Lear
Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
Re: [Add] some background on split DNS with DNSSEC Jim Reid
Re: [Add] some background on split DNS with DNSSEC Eliot Lear
Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
Re: [Add] some background on split DNS with DNSSEC Eliot Lear
Re: [Add] Why so complex? (was Re: some backgroun… Paul Wouters
Re: [Add] some background on split DNS with DNSSEC Paul Wouters
Re: [Add] some background on split DNS with DNSSEC Joe Abley
Re: [Add] some background on split DNS with DNSSEC Deen, Glenn
Re: [Add] some background on split DNS with DNSSEC Deen, Glenn
Re: [Add] some background on split DNS with DNSSEC Paul Wouters
Re: [Add] some background on split DNS with DNSSEC tirumal reddy
Re: [Add] some background on split DNS with DNSSEC tirumal reddy
Re: [Add] some background on split DNS with DNSSEC tirumal reddy
Re: [Add] some background on split DNS with DNSSEC Dan Wing
Re: [Add] some background on split DNS with DNSSEC Dan Wing
Re: [Add] some background on split DNS with DNSSEC Wes Hardaker
Re: [Add] Why so complex? (was Re: some backgroun… Ben Schwartz
Re: [Add] some background on split DNS with DNSSEC Joe Abley
Re: [Add] some background on split DNS with DNSSEC Ben Schwartz
Re: [Add] some background on split DNS with DNSSEC Michael Richardson
Re: [Add] some background on split DNS with DNSSEC Michael Richardson
Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
Re: [Add] Why so complex? (was Re: some backgroun… Bill Woodcock
Re: [Add] some background on split DNS with DNSSEC tirumal reddy
Re: [Add] Why so complex? (was Re: some backgroun… Martin Thomson
Re: [Add] some background on split DNS with DNSSEC Ted Hardie
Re: [Add] some background on split DNS with DNSSEC Ben Schwartz
Re: [Add] some background on split DNS with DNSSEC tirumal reddy
Re: [Add] some background on split DNS with DNSSEC Ben Schwartz
Re: [Add] some background on split DNS with DNSSEC tirumal reddy