IETF Logo Mail Archive

Re: [Add] some background on split DNS with DNSSEC

Eliot Lear <lear@lear.ch> Tue, 09 November 2021 15:20 UTC

Return-Path: <lear@lear.ch>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1793C3A0E55 for <add@ietfa.amsl.com>; Tue, 9 Nov 2021 07:20:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.42
X-Spam-Level:
X-Spam-Status: No, score=-5.42 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-3.33, SPF_PASS=-0.001, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=lear.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eds60-nx2dm4 for <add@ietfa.amsl.com>; Tue, 9 Nov 2021 07:20:15 -0800 (PST)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [185.32.222.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 496EC3A0E59 for <add@ietf.org>; Tue, 9 Nov 2021 07:20:15 -0800 (PST)
Received: from [IPV6:2001:420:c0c0:1011::8] ([IPv6:2001:420:c0c0:1011:0:0:0:8]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-18) with ESMTPSA id 1A9FKAHZ2051167 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Tue, 9 Nov 2021 16:20:11 +0100
Authentication-Results: upstairs.ofcourseimright.com; dmarc=none (p=none dis=none) header.from=lear.ch
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1636471211; bh=QGLEqUqIbHeJpR/0FFWz63W0kCpRjqhhgfiB1LchO7Y=; h=Date:Subject:To:References:From:In-Reply-To:From; b=fSexaRrgHvslYwswl38/aAk8onwE7rLem8giP46290dq4j4tNVOR/gY/BBBuHKniO 6gstzudzwbNb5J7BtJAK44GZj26SY7JYVb26uzCYTbLJI6iF0QCEqGCOTmKguOWHMo nOGF3Vsdxtq1VowUG+LguMPAF7oXLDKyqLKVnfhw=
Message-ID: <b0527e86-9636-1d80-c2cf-526c6b050b90@lear.ch>
Date: Tue, 09 Nov 2021 16:20:09 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.3.0
Content-Language: en-US
To: Bill Woodcock <woody@pch.net>, Ted Lemon <mellon@fugue.com>, add@ietf.org
References: <yblk0hio8pu.fsf@w7.hardakers.net> <28611.1636465525@localhost> <3692CFBF-4D06-4960-9F7C-347A58D2D0A0@apple.com> <aea95242-4e80-e4cb-b5bb-da34105e7ed1@lear.ch> <CAPt1N1kGs851Q_BMq1NDzm80xHbrKLJWwt1JzAmZAtafXeoqPg@mail.gmail.com> <BF4069C2-225D-4BA6-97FC-5CB6B09DA657@pch.net>
From: Eliot Lear <lear@lear.ch>
In-Reply-To: <BF4069C2-225D-4BA6-97FC-5CB6B09DA657@pch.net>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------0MVDX82pc071pkJ7IV39Qs00"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/CuUAm-wQ76mxQuiYOubX1ktEjYA>
Subject: Re: [Add] some background on split DNS with DNSSEC
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2021 15:20:21 -0000

On 09.11.21 16:18, Bill Woodcock wrote:
>
> Can you elaborate?
>
> If people are already maintaining two “views” of a namespace, and signing both with the same keys, how would it get easier?  I mean, short of not maintaining two views?

More often than not, they're not operating DNSSEC at all because of the 
complexity of the above.

Eliot

v2.23.0 | Report a Bug | By Email