Re: [Add] add-enterprise-split-dns and split horizon DNS
Geoff Huston <gih903@gmail.com> Fri, 03 December 2021 01:05 UTC
Return-Path: <gih903@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F4FA3A0D33 for <add@ietfa.amsl.com>; Thu, 2 Dec 2021 17:05:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6bIMiPurgFOo for <add@ietfa.amsl.com>; Thu, 2 Dec 2021 17:05:17 -0800 (PST)
Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com [IPv6:2607:f8b0:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5D9E3A0D32 for <add@ietf.org>; Thu, 2 Dec 2021 17:05:17 -0800 (PST)
Received: by mail-pf1-x42d.google.com with SMTP id g18so1289698pfk.5 for <add@ietf.org>; Thu, 02 Dec 2021 17:05:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=6z2gDlgr/mKdeSlHUN2FeyJiwc2D7HVjT5O25DCgdkU=; b=qddDSEqq14f6n/uWWJIi5ANgafIKyGffXcOTC1DDwbFghT/FzuosF2VLgAoIqiyV3k 21gHLrzCisqwowBF8EbYmhci3juDcqwXV9u4pevFMLETzJwE8RtWOqt3zmB68x8Hjmvc bCDkiwzEZ153efpsM1QSV/pWDlqpywyvQSJEc4bNj6kujZmON4obv2Gqv3dzkAYiLBFg 6arEEZHBxdwjGrPUdfEAMGn29s46V3xv/QM36kjqUE/XDkx3AX4UgqG5borEyb+LkLOa v5pswnsJ17Nw+6w9CtFz1Jif43yeLO1Sh4lNVPdR+Tuxn9hBeRiGqXY10dt/hXEEvh2s t15Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=6z2gDlgr/mKdeSlHUN2FeyJiwc2D7HVjT5O25DCgdkU=; b=KxUMfGMoCrtIYXaugDbDirDYzfoX2OLOsFpj+h1i+2Ghf7F32s0Fx2qSyU7uEoy3fR XO8nXAbBSkXzWPDKwj+4gIds8ZFh2dGVh7T33cpJ7lCzJQtg61/m/EUU5/QuGY90+6kg vWzyXiJ8Vil2iN1c1ZdjUIhHgg35/eGaUKl26yjeZmD09LNHEPU11yfiEIs7FiIURPwP epueNUMJmWH7+zZYP9bspomcXrhnsU8O374M/nwidFQEGv0EtvH7kFc20JqPanOKEE7a F+DgmkIffLZ3dotx79ztarSjdL/bmd8BjqfQLZxXlniYROie/ty/m7eQ+sS+jsx/RICM tBeQ==
X-Gm-Message-State: AOAM531PrBtTfKbVb/jIvCZxMpb4mhysoXp2HnaEiNr7JsKkZCMKpNvQ Nax6+zZSt1gYG1lw6Q9BtHpm8tXuAX+olQ==
X-Google-Smtp-Source: ABdhPJxxDXmG/DS4WDbD0vmKT++R2RntVEBBqKgO/mTznAXoD6L3xE8vgiKwlygsbJb+7z68VnThgA==
X-Received: by 2002:a63:e501:: with SMTP id r1mr2113455pgh.163.1638493516043; Thu, 02 Dec 2021 17:05:16 -0800 (PST)
Received: from smtpclient.apple (2001-44b8-110b-5100-ac58-b0cc-c91c-d833.static.ipv6.internode.on.net. [2001:44b8:110b:5100:ac58:b0cc:c91c:d833]) by smtp.gmail.com with ESMTPSA id c6sm1056874pfv.54.2021.12.02.17.05.14 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 02 Dec 2021 17:05:15 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.20.0.1.32\))
From: Geoff Huston <gih903@gmail.com>
In-Reply-To: <CABcZeBMyZLSE2HZ2dL+P6Dq3hMaG2QgTRrUuAjHTB7pJpXTaMQ@mail.gmail.com>
Date: Fri, 03 Dec 2021 12:05:11 +1100
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, ADD Mailing list <add@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8AF4482A-A656-4999-8127-39D94FC914AF@gmail.com>
References: <152347.1638473207@dooku> <CABcZeBMyZLSE2HZ2dL+P6Dq3hMaG2QgTRrUuAjHTB7pJpXTaMQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: Apple Mail (2.3693.20.0.1.32)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/FRVLgrPEaqzxA6-_LLTYFY_894U>
Subject: Re: [Add] add-enterprise-split-dns and split horizon DNS
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Dec 2021 01:05:22 -0000
> On 3 Dec 2021, at 11:34 am, Eric Rescorla <ekr@rtfm.com> wrote: > > > > On Thu, Dec 2, 2021 at 11:27 AM Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > I have just watched the ADD-20211108-1600 session from IETF112. > I had a conflicting session. > > What I took from the conversation is that many people would like to solve DDR > in a split-horizon situation, and that if we could find a solution that > solved typo-squatting by local resolvers that would also be very welcome. > (typo-squatting is of course trivially solved by DNSSEC, which I'm told > browsers refuse to implement because miliseconds...) > > I don't know who told you this, but that's not the reason that browsers do not > implement DNSSEC. The primary reason that browsers do not implement DNSSEC is > because of concerns that otherwise valid resolutions will fail due to recursive > resolvers/middleboxes incorrectly handling DNSSEC records, thus resulting > in increased user-visible error rates. > Hi Eric, Each time this topic comes up (why browsers do not use DNSSEC, or the related topic as to why browsers do not use DANE) I hear different “primary reasons”. - It takes too long, - RSA-1024 is insecure, - the DNS does not cope with large responses, - the DNS provisioning infrastructure does not support DS records, and now I am reading here from your message that: - middleboxes (I assume you mean DNS forwarders?) and recursive resolvers erroneously fail. So can I take it from your message here that this concern that recursive resolvers got DNSSEC all wrong is “the primary reason” why browsers do not use DNSSEC, and also the related topic as to why browsers do not use DANE. Over the years, I have picked up this sense that each time this topic is raised, a different “primary reason” is offered as to why the browserverse appears to be avoiding use of DNSSEC. So if we headed into pinning down the behaviours of DNS resolution infrastructure and their DNSSEC capabilities with measurement we could replace these vague dataless assertions with data that could prove or disprove this “primary reason”. Would you agree? Thanks, Geoff
- [Add] add-enterprise-split-dns and split horizon … Michael Richardson
- Re: [Add] add-enterprise-split-dns and split hori… Eric Rescorla
- Re: [Add] add-enterprise-split-dns and split hori… Geoff Huston
- Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns… Deen, Glenn (NBCUniversal)
- Re: [Add] add-enterprise-split-dns and split hori… Dan Wing
- Re: [Add] add-enterprise-split-dns and split hori… Paul Wouters
- Re: [Add] add-enterprise-split-dns and split hori… Vinny Parla (vparla)
- Re: [Add] add-enterprise-split-dns and split hori… Michael Richardson
- Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns… Michael Richardson
- Re: [Add] add-enterprise-split-dns and split hori… Michael Richardson
- Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns… Dan Wing
- Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns… Michael Richardson
- Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns… Joe Abley
- Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns… Michael Richardson
- Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns… Paul Wouters