Re: [Add] New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt
Tommy Pauly <tpauly@apple.com> Fri, 12 March 2021 19:00 UTC
Return-Path: <tpauly@apple.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1BC83A1B8B for <add@ietfa.amsl.com>; Fri, 12 Mar 2021 11:00:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.366
X-Spam-Level:
X-Spam-Status: No, score=-2.366 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NpmAwQFx43L4 for <add@ietfa.amsl.com>; Fri, 12 Mar 2021 11:00:37 -0800 (PST)
Received: from rn-mailsvcp-ppex-lapp14.apple.com (rn-mailsvcp-ppex-lapp14.rno.apple.com [17.179.253.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F73D3A1BAC for <add@ietf.org>; Fri, 12 Mar 2021 11:00:32 -0800 (PST)
Received: from pps.filterd (rn-mailsvcp-ppex-lapp14.rno.apple.com [127.0.0.1]) by rn-mailsvcp-ppex-lapp14.rno.apple.com (8.16.0.43/8.16.0.43) with SMTP id 12CIvOiw030005; Fri, 12 Mar 2021 11:00:30 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=xnpWnaseo2ssKIJxSd9PbbNwr9wc+ahp3rGwO7ml084=; b=hGKbQuKtuXlqG/TbZW290TIIMdqbvKtsr+8v60dS9om1z8D2aRDTdiiWuKDdpy408Aqp TA4yd1+OUdn8c1sv1x/srNkMR+1rD6WBF/uRdSYeFCysSsV8e9ofqGIXtWV5tkrBCOgm treReg6nDjKR587+fAqi/aV0WlBWhB0Nta7D4X6qIHgcCBaVPTUF1cgbnW6SjiwlGcWO k38F0luOwSJ9X8cqW7tPtHbFAYetIjc46T2tWR2Gu69gevq2ikFPL9JTS6xKqdKraK8e rd7TPQ96l8VJW2mKsL10WnUBMlzuj3ltYnJaAaI0wUTP1F6ouiDIMUGDB65C5YqpmXe5 tQ==
Received: from rn-mailsvcp-mta-lapp04.rno.apple.com (rn-mailsvcp-mta-lapp04.rno.apple.com [10.225.203.152]) by rn-mailsvcp-ppex-lapp14.rno.apple.com with ESMTP id 375vavdhy3-5 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 12 Mar 2021 11:00:30 -0800
Received: from rn-mailsvcp-mmp-lapp03.rno.apple.com (rn-mailsvcp-mmp-lapp03.rno.apple.com [17.179.253.16]) by rn-mailsvcp-mta-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.7.20201203 64bit (built Dec 3 2020)) with ESMTPS id <0QPV00D1CE4S2YJ0@rn-mailsvcp-mta-lapp04.rno.apple.com>; Fri, 12 Mar 2021 11:00:28 -0800 (PST)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp03.rno.apple.com by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.7.20201203 64bit (built Dec 3 2020)) id <0QPV00I00DWB8500@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Fri, 12 Mar 2021 11:00:28 -0800 (PST)
X-V-A:
X-V-T-CD: e72da815dcb01dab2f988f94f1719970
X-V-E-CD: 833231a848c0302c1b0cb6d23edb536e
X-V-R-CD: 14f198413e362f13d7ac09b053dc6d36
X-V-CD: 0
X-V-ID: 05be9b98-0a4b-4a98-ad99-06b5ba41b3af
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-12_09:2021-03-12, 2021-03-12 signatures=0
Received: from smtpclient.apple (unknown [17.11.58.166]) by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.7.20201203 64bit (built Dec 3 2020)) with ESMTPSA id <0QPV00N5KE4BWI00@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Fri, 12 Mar 2021 11:00:12 -0800 (PST)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <BFF52DBA-5A64-46E5-B51A-9012EF9E09BD@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_03DEBE06-44E4-43BB-8B01-DD37F5CF626E"
MIME-version: 1.0 (Mac OS X Mail 14.0 \(3654.80.0.2.6\))
Date: Fri, 12 Mar 2021 11:00:11 -0800
In-reply-to: <CAHbrMsCK5BUNzF+8nd722R-BR612mM+3oA6x9RzoT_osHWWRzg@mail.gmail.com>
Cc: tirumal reddy <kondtir@gmail.com>, ADD Mailing list <add@ietf.org>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
References: <161544385340.18570.13061001177806683345@ietfa.amsl.com> <CAFpG3geAq9oTEJp+uFQ_vHdATgT9Faza-tJURciO=RheLgLDug@mail.gmail.com> <CAHbrMsCK5BUNzF+8nd722R-BR612mM+3oA6x9RzoT_osHWWRzg@mail.gmail.com>
X-Mailer: Apple Mail (2.3654.80.0.2.6)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-12_09:2021-03-12, 2021-03-12 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/I_IR_hIzZ6DgBK2CZ9Lli9Rs3ys>
Subject: Re: [Add] New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Mar 2021 19:00:39 -0000
> On Mar 11, 2021, at 11:02 AM, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote: > > Thanks for the updates. Some comments > > Section 6: > If an Enterprise network restricts all the DNS queries to be sent to > the network-provided DNS server, SplitDNSAllowed will be set to > false. > > This is clearly a policy prescription, and is out of scope. I think this key should be removed from the draft. Agreed. I think the main issue is that this ends up being an “evil bit”. There’s no reason for a client to trust or respect this value, unless they already have a strong MDM-style relationship, in which case this wouldn’t be needed. I am in favor of letting the network prove authority for private domains, or even present an identity for itself as the network operator. It’s up to the client to use those or ignore those. The one thing the network could do that might be useful is provide a flag that it will be actively hostile to any DNS traffic it detects that does not go to itself, with some reason text. The (minimal) value there is to allow a client to present a reason for things being broken if the user of the client device also has a strict policy to not trust this network. Tommy > > > [RFC7149] recommends validation of responses using NSEC3. > > Nit: RFC 7129. > > Broader note: I think it would be better to drop the "private-only" flag, as well as the NSEC test and top-domains list. While this arrangement of claiming domain names that are known not to exist globally is possibly allowed by RFC 2826, I don't think it's a good practice. For example, there is no such domain as "login.citibank.com <http://login.citibank.com/>", but I think it would be bad security practice (and also a bad architecture) to allow networks to claim that name. > > Note that private-only names are still supported. If the local resolver is authoritative for corp.example.com <http://corp.example.com/>, it can serve queries for login.corp.example.com <http://login.corp.example.com/>, even if login.corp.example.com <http://login.corp.example.com/> is NXDOMAIN when queried externally. > > On Thu, Mar 11, 2021 at 1:26 AM tirumal reddy <kondtir@gmail.com <mailto:kondtir@gmail.com>> wrote: > The revised draft https://datatracker.ietf.org/doc/html/draft-reddy-add-enterprise-split-dns-01 <https://datatracker.ietf.org/doc/html/draft-reddy-add-enterprise-split-dns-01> addresses > comments from Ben. Further comments and suggestions are welcome. > > Cheers, > -Tiru > > ---------- Forwarded message --------- > From: <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>> > Date: Thu, 11 Mar 2021 at 11:54 > Subject: New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt > To: Tirumaleswar Reddy.K <kondtir@gmail.com <mailto:kondtir@gmail.com>>, Dan Wing <danwing@gmail.com <mailto:danwing@gmail.com>> > > > > A new version of I-D, draft-reddy-add-enterprise-split-dns-01.txt > has been successfully submitted by Tirumaleswar Reddy and posted to the > IETF repository. > > Name: draft-reddy-add-enterprise-split-dns > Revision: 01 > Title: Split-Horizon DNS Configuration in Enterprise Networks > Document date: 2021-03-10 > Group: Individual Submission > Pages: 12 > URL: https://www.ietf.org/archive/id/draft-reddy-add-enterprise-split-dns-01.txt <https://www.ietf.org/archive/id/draft-reddy-add-enterprise-split-dns-01.txt> > Status: https://datatracker.ietf.org/doc/draft-reddy-add-enterprise-split-dns/ <https://datatracker.ietf.org/doc/draft-reddy-add-enterprise-split-dns/> > Htmlized: https://datatracker.ietf.org/doc/html/draft-reddy-add-enterprise-split-dns <https://datatracker.ietf.org/doc/html/draft-reddy-add-enterprise-split-dns> > Htmlized: https://tools.ietf.org/html/draft-reddy-add-enterprise-split-dns-01 <https://tools.ietf.org/html/draft-reddy-add-enterprise-split-dns-01> > Diff: https://www.ietf.org/rfcdiff?url2=draft-reddy-add-enterprise-split-dns-01 <https://www.ietf.org/rfcdiff?url2=draft-reddy-add-enterprise-split-dns-01> > > Abstract: > When split-horizon DNS is deployed by an enterprise, certain > enterprise domains are only resolvable by querying the network- > provided DNS server. DNS clients which use DNS servers not provided > by the network need to route those DNS domain queries to the network- > provided DNS server. This document informs DNS clients of split- > horizon DNS, their DNS domains, and is compatible with encrypted DNS. > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org/>. > > The IETF Secretariat > > > -- > Add mailing list > Add@ietf.org <mailto:Add@ietf.org> > https://www.ietf.org/mailman/listinfo/add <https://www.ietf.org/mailman/listinfo/add> > -- > Add mailing list > Add@ietf.org > https://www.ietf.org/mailman/listinfo/add
- [Add] Fwd: New Version Notification for draft-red… tirumal reddy
- Re: [Add] Fwd: New Version Notification for draft… Ben Schwartz
- Re: [Add] Fwd: New Version Notification for draft… Paul Vixie
- Re: [Add] New Version Notification for draft-redd… Tommy Pauly
- Re: [Add] New Version Notification for draft-redd… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Tommy Jensen
- Re: [Add] New Version Notification for draft-redd… Tommy Pauly
- Re: [Add] [EXTERNAL] Re: New Version Notification… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: New Version Notification… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Wouters
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Andrew Campling
- Re: [Add] [EXTERNAL] Re: New Version Notification… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: New Version Notification… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: New Version Notification… Eliot Lear
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Victor Kuarsingh
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] New Version Notification for draft-redd… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Bill Woodcock
- Re: [Add] [EXTERNAL] Re: New Version Notification… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ben Schwartz
- Re: [Add] Fwd: New Version Notification for draft… tirumal reddy
- Re: [Add] New Version Notification for draft-redd… tirumal reddy
- Re: [Add] New Version Notification for draft-redd… Ben Schwartz
- Re: [Add] New Version Notification for draft-redd… Vittorio Bertola
- Re: [Add] New Version Notification for draft-redd… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXT] Re: New Version Notification for … Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Tommy Jensen
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Wouters
- Re: [Add] [EXTERNAL] Re: New Version Notification… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Wouters
- Re: [Add] New Version Notification for draft-redd… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Wouters
- Re: [Add] New Version Notification for draft-redd… Andrew Campling
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy