[Add] add-enterprise-split-dns and split horizon DNS
Michael Richardson <mcr+ietf@sandelman.ca> Thu, 02 December 2021 19:26 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0B5A3A0486 for <add@ietfa.amsl.com>; Thu, 2 Dec 2021 11:26:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YObC6Nw4a0Cv for <add@ietfa.amsl.com>; Thu, 2 Dec 2021 11:26:51 -0800 (PST)
Received: from relay.sandelman.ca (relay.cooperix.net [176.58.120.209]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B2403A0485 for <add@ietf.org>; Thu, 2 Dec 2021 11:26:50 -0800 (PST)
Received: from dooku.sandelman.ca (cpe788a207f397a-cmbc4dfb96bb50.sdns.net.rogers.com [174.116.121.43]) by relay.sandelman.ca (Postfix) with ESMTPS id F0CAD1F4A8 for <add@ietf.org>; Thu, 2 Dec 2021 19:26:48 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 81C701A040A; Thu, 2 Dec 2021 14:26:47 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: add@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Thu, 02 Dec 2021 14:26:47 -0500
Message-ID: <152347.1638473207@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/HmntkXtyaU7XCvawI93Dw0jJygY>
Subject: [Add] add-enterprise-split-dns and split horizon DNS
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Dec 2021 19:26:56 -0000
I have just watched the ADD-20211108-1600 session from IETF112. I had a conflicting session. What I took from the conversation is that many people would like to solve DDR in a split-horizon situation, and that if we could find a solution that solved typo-squatting by local resolvers that would also be very welcome. (typo-squatting is of course trivially solved by DNSSEC, which I'm told browsers refuse to implement because miliseconds...) The document says: A typical use case is an Enterprise network that requires one or more DNS domains to be resolved via network-designated DNS servers. This can be a special domain, such as "corp.example.com" for an enterprise that is publicly known to use "example.com". In this case, the endpoint needs to be informed what the private domain names are and what the IP addresses of the network-designated DNS servers are. An Enterprise can also run a different version of its global domain on its internal network. In that case, the client is instructed to send DNS queries for the enterprise public domain (e.g., "example.com") to the network-designated DNS servers. A configuration for this deployment scenario is referred to as a Split DNS configuration. Another use case for split-horizon DNS is Cellular and Fixed-access networks (ISPs) typically offer private domains, including account status/controls, and free education initiatives [INS]. and I'd like to strongly distinguish the case of "corp.example.com" (I've also seen and used "intranet.example.com"...) from one where there are different "authoritative" views of example.com. In fact, I'd like the document to put these two into different sections. I think that we need to write a BCP that strongly encourages corp.example.com as the model for hiding names. Dan and Wesley mentioned previous efforts that had failed. I'd like to understand more about what was proposed and how/when/why they failed. Maybe the issues are different now and we could get consensys around something. Yeah, maybe that does not fit into the ADD charter: but it seems that ADD (DDR) might be a forcing function to finally do something here. I don't like the solution in this document. I am in favour of solving the problem though. I don't like PvD at all. But, the entire issue seems to fall into the "Doctor! Doctor! It hurts when I push this knife into the electrical socket! What can you prescribe to deal with the hurt?" -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Add] add-enterprise-split-dns and split horizon … Michael Richardson
- Re: [Add] add-enterprise-split-dns and split hori… Eric Rescorla
- Re: [Add] add-enterprise-split-dns and split hori… Geoff Huston
- Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns… Deen, Glenn (NBCUniversal)
- Re: [Add] add-enterprise-split-dns and split hori… Dan Wing
- Re: [Add] add-enterprise-split-dns and split hori… Paul Wouters
- Re: [Add] add-enterprise-split-dns and split hori… Vinny Parla (vparla)
- Re: [Add] add-enterprise-split-dns and split hori… Michael Richardson
- Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns… Michael Richardson
- Re: [Add] add-enterprise-split-dns and split hori… Michael Richardson
- Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns… Dan Wing
- Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns… Michael Richardson
- Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns… Joe Abley
- Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns… Michael Richardson
- Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns… Paul Wouters