Re: [Add] WG Adoption Call draft-reddy-add-enterprise-split-dns

"Diego R. Lopez" <diego.r.lopez@telefonica.com> Fri, 13 May 2022 08:28 UTC

Return-Path: <diego.r.lopez@telefonica.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78D46C157B34 for <add@ietfa.amsl.com>; Fri, 13 May 2022 01:28:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.674
X-Spam-Level:
X-Spam-Status: No, score=-2.674 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.575, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=telefonica.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8oQq3r0Y1_v7 for <add@ietfa.amsl.com>; Fri, 13 May 2022 01:28:47 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-am5eur02on071d.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe07::71d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9A24C14F727 for <add@ietf.org>; Fri, 13 May 2022 01:28:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Zh+8aHiVYtxtWp0NHAV32fGyEBruvmzO/JAgtxSBGtMmua+GpSkksI4194o4d66PbJwOcGjWke8zAGWKvKUcFuh49oxTduEO3gupYC41P+xNMqMgTC0tkzIq+MvJFLTd+D5tRe3jBvbl4lvYEXQOpzeLQMwJrH2QaiFW8+jGidyUZ0TfV2JFi9KOmrAIT0SSe6uREHy5K60iE2ExRPHjkM1xLAZ7Hm73jpC+wJ+goKv8ijF2kbZGokCnPiMbXG8J2Sbas45Bk9eYUGU3drbAjHFBrkb9r4pL73mi3Xa7JThFQDb8I5BgaHDVvr+M8emQ82GqVJbuW/TgiMympGxQpw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7TOfBC/BEOwT0Pob60FD7+OFo6NBHMi2U5HESsIFRJk=; b=jvAI5F2wz413dIqYiXFxmLOAhaptJd93niUEbQG6Gjc87X9lwnwNfI6hPUu6Jp3Gm0MmzSqDPCyhZtmsqtxA7Rd4gXXeBiIvqzfVFFWsos64eQlCEuRXw3vynKpixzchuKo6LqK5z8+hmxT9KgDCrAEFaEIv9lwko1THPKeHdPgLW+hRfe28TcJo4x1inxBbybTuRJGUz7R7I7NAF0wmNveNYHq8ZMut9TE3OeyL/Bf2vwDa5tJjbl255hui87rZD3cbO0iP8hsZRQe4K6jFyzGrG3de82PpXByOZoSfOjjX0HdUB9TxWgXrJaLuNLcPEZI3zzL2at61765nXOb1ow==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=telefonica.com; dmarc=pass action=none header.from=telefonica.com; dkim=pass header.d=telefonica.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telefonica.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7TOfBC/BEOwT0Pob60FD7+OFo6NBHMi2U5HESsIFRJk=; b=UgiErG3k2v5strYA6XLjcF6XxsP+jIAA9j9BycnrKCk04RjYDMtf4y8XwG0OKJgjpQa5ijW3oHICLa+6/I5oMcNdo2cKXWLThzGUIqtEWmeVsAGJc7hL2cPkocp50KxrRZo/0yoRlKPxkgE3g0AiOD38gW8LU630BjvlV7EwyP4=
Received: from VE1PR06MB7150.eurprd06.prod.outlook.com (2603:10a6:800:1a5::19) by AM9PR06MB8083.eurprd06.prod.outlook.com (2603:10a6:20b:389::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5250.13; Fri, 13 May 2022 08:28:42 +0000
Received: from VE1PR06MB7150.eurprd06.prod.outlook.com ([fe80::19bc:525:c981:8bee]) by VE1PR06MB7150.eurprd06.prod.outlook.com ([fe80::19bc:525:c981:8bee%8]) with mapi id 15.20.5250.014; Fri, 13 May 2022 08:28:42 +0000
From: "Diego R. Lopez" <diego.r.lopez@telefonica.com>
To: Eliot Lear <lear@lear.ch>, Paul Wouters <paul@nohats.ca>, "bemasc@google.com" <bemasc@google.com>
CC: ADD Mailing list <add@ietf.org>
Thread-Topic: [Add] WG Adoption Call draft-reddy-add-enterprise-split-dns
Thread-Index: AQHYYKiFREYHSlt7IEue+JqktOjhG60Qoi8AgAARH4CAC8/LgIAAJAIA
Date: Fri, 13 May 2022 08:28:42 +0000
Message-ID: <5D01FBF6-6F23-4414-AA10-3CD4D65D6DE2@telefonica.com>
References: <BYAPR11MB3111FD2D0FF61231304A5F3DEAC29@BYAPR11MB3111.namprd11.prod.outlook.com> <CAHbrMsAcpHFon+JS9jsLdqANt+1FmkA_VDAwW4PSUDMJwtbavA@mail.gmail.com> <14b56185-4fe3-8e4b-adcf-22ddb624329@nohats.ca> <6091dcb9-0d91-6666-2c3f-ae8da960242b@lear.ch>
In-Reply-To: <6091dcb9-0d91-6666-2c3f-ae8da960242b@lear.ch>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.54.21101001
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=telefonica.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f358ecca-697d-4ca6-21b5-08da34ba96ad
x-ms-traffictypediagnostic: AM9PR06MB8083:EE_
x-microsoft-antispam-prvs: <AM9PR06MB8083CCC7465A2775AD8D8414DFCA9@AM9PR06MB8083.eurprd06.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Vfi0rvRpHCsuztSj0df7yi+EntR7kGXQqFowpPBO2akqLnTtp5saUW14Lwjd4Ow2B7P/IJJlCAIdW5M8VD72Su3j2Fe7HaIplW5vOOHhHnBrOOmTCB9GmONdMOgpan5HNqKSM03UdhF9kz9RiZA8VaUcarlRbqbkEt0GMK8HvK3xbMzZhGVBxBYONV2UHw1FkUEFvCm0XZXiZ/mdLw3tzO9d3fcipiQZDqz1yjdcErPr/cUX9NbMAwJq4pDAHtsso18tYQgX+w0AeDT7dWxuOUFDd/t3nTXahHo1VYG5lF8jy5ZvjW4FpOwrYRrLuAjHgW59xVnCiAcPeZjj+tZp+56ujar/l//zjTRpFvRpN+xnkbGJQh/wp+Y8w4qu0nntlg94p3t0fyfwICEwE3XzSnq/YMVEMAOhaBqdDzUSP5zOAcgrxo23JTJR+LyRonQ380HDSM+UJxL/ooYaLp3NWbA2X44QBtl3QtEhvRexCFRtYPGEjxr+Bg9IGogK3SW+uGcP7rpDyX0+PTFG0pUmIzfC8nXS9qqOBDhRiP4UKAwlvhHc5UsKxN4UKvQWNmFlNW4bhhVgTrw9thk4/zlHcQcMvMe1RHbhKFHms+ZDoY5eC3HO5itDxHvMiBPe5DZnNmtWctKtliYZTLmK30Gozy+r/r91gbs+9zbCA50DTmKNP0zQyiZIqyx9xigc4sNj7aRgOsO2o3K2wPmCsNuUKiOCtfTkZlV0lQRdOEh9bT4L1Z4Le5HLLsXgkyo1tWdjPWIgF0L15UhypBud8b43UbcBCjyTgLxm3KMB/xAXJ+3vSu9zUTIybx+pyDuydzNm
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VE1PR06MB7150.eurprd06.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(66556008)(66446008)(53546011)(76116006)(4326008)(6512007)(6506007)(26005)(66946007)(64756008)(966005)(110136005)(6486002)(66476007)(86362001)(38100700002)(38070700005)(45080400002)(71200400001)(91956017)(66574015)(36756003)(2616005)(186003)(5660300002)(8676002)(8936002)(316002)(83380400001)(33656002)(122000001)(2906002)(82960400001)(508600001)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: sGLtBPF3hC6FV3nBVHY5jCRiRxNx9I9HeDVZXK+TdDQJlmi6yRf0p/e+RdaN9GMCxubR81bSz11I29V7LIUBDgr0JJlqYF+8Wlg0tcG1RO2E/itaVJRA80sTnR1KTlSjI8GgnTgn8WTGb6O5kThjiW5NXSjMt2pwv74doa2Eob0pEHZ7RAAtBYxSgRCyZCsBYDW6D5gVT0fiMmJH5J8wfis9LgHUwEEFzpbpd4Np7PAXWkNZc/m/jgkTmMw3wJupxIDHSbi1A4+A/aKDbePAi+0rF0FBkiSyRh1glQLkifAE+Jyoi1gsXGkY+/1tfIUFVk63kgkKyF1eAnXddMtlYWxmPRanj+5cLy7D3JwwgvYQWQ8iKab5J8GG5Dcpe+QIo0SmdJz2j8igWnZX4kWqhQmMFnp6gS7r/8h+h9IDCyLwG7M3XLzDCVDoKfxRNdmuF1YVxnfZBQN8Fnybl4mC1zx4mVz59rATvfxbuCNBidFnRjNWKRk5XKqcN21X7aQFVvKQj5VKTiEvStzvEYc3r7qIKfkjsuOkgiV7Mv3+CAtmqmJKon0no4irvheNAtp9U1CmBa7vXayZ8Wr/nHfl0Wo1yjhLsA+p5sMEnhq918+Dyucw1wRYWaXDQ1I0SxulbUXNbqNrvMvLsuXig3JgmjkIrL58hs+dg5FAUnXERCsV1N9I2dncdr2q9K2hDKyYKTzr3ASZwjmt+T96OMykWQnWgYTLXQg6FSUKL5h7dUJ3uIYGwATGbQAQVhPoQ8ZNQz/V3w1L9Nv/sqTvnLfKGiP3Mz2qeFUnvarEziURH0nTqSp8IvwbiaptaSw8ajmN/DRRs88Xa5aDx1OLV4AY3oqru7h2dv/Anu9Nr3C1jNty18kM81OHrN6UlXCCLsSz6cZyi0WnWsGSz1XvMG9lm1RlPl/q6wbFPf6RUHu6gxqHC7AZ5xqF0aprbH66aWsvz8oF+SszEjl6L4807vm5naD0ZDdpJ9dW1fcD4YLASy2tiBwF9gMP5lqr2ne7HaJET4TRFoOf6dTum+zq/KhA9wxG0dyZRuBjakXNrdNQ45cCixD0u1KFFqYiLfN/wbgIXL4MeSWCCM3jB4PynMCTuCqoiDTr+qv7rw/RBViuXH/RFnpStxb4X5NhJHf/TNsb+phmzkQstyN9YZUD1+luzC9bIfK67zzXgzdOdYbtePoify8isobjBaHzGDqzuvWuBpqYf97afcSRbBJHdbJY/sVB6948f1HaQTIMJQBUeyfwcnCD+ket/GRAl09WWO0LXtokqgWHLW2DdZOAgPVwvL4UU+3yS2yGtxZ0S/5a83tRk0rfzRMrUjTSTszRXA+c/jR1fTkqyBimYeTdPmbb+SrXMnYE08hcqspyAO7fQPo+0guiCBUhGrAUNfn1qvWpn0QHmHpY53g4Z/yXcOAzEfxAkczMmnX/+YCT3+vVb/gmsctxlUj+FVPG+kZ8GnAziJwWDgqHD3uOKW0Ah7dt8YFQLHotKmxKSBUtAidGqC3tsgcY4qHPO8CwW/rtmyroF7sfMZ6mRHokRb3lzTZcG2kbWs+HOXQMyX5bwJvh6lV3AtcQmyyNwRiCgFoTC3MpZFiuI38H/i7y3Vrbp2hC6cfmQLOYQ9bENvWZPHDtg3jUIRNJq+bqpQlkiUIz9C+/JUCKVmG6SLNTF5uk/ZbHxwkrQX3LLbKfv+T+Z/dwdMt4ewH/21n1oC6U0FApC4Tj1UWqe2RkCfpQzeBfrPuhjuuLsDV5WOVDgd9t3Ndb+mZU0AYfKSc7BfhHzjFKychI
Content-Type: text/plain; charset="utf-8"
Content-ID: <E8BD2C9702E7C1479080244F1AACD492@eurprd06.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: telefonica.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: VE1PR06MB7150.eurprd06.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f358ecca-697d-4ca6-21b5-08da34ba96ad
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 May 2022 08:28:42.2367 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9744600e-3e04-492e-baa1-25ec245c6f10
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 4lCjT5axGRAc9ey1ub391m9pWVRqLXhmcr08uPevcHe8Sf/ylEfiOgJ7iyZIfOMrnYiFS3PWT/4t2Suza/0oqXjbyqQZWpeZrtVK+xUouNU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR06MB8083
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/J4DGkk0vhUQ55dAfodNIlp7-pI8>
Subject: Re: [Add] WG Adoption Call draft-reddy-add-enterprise-split-dns
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 May 2022 08:28:51 -0000

Hi,

I take advantage of Eliot's statement to essentially agree with him and support adoption. There are a few aspects related to choices and enterprise environments I think would require more discussion, but this is what adoption is for...

Be goode,

--
"Esta vez no fallaremos, Doctor Infierno"

Dr Diego R. Lopez
Telefonica I+D
https://www.linkedin.com/in/dr2lopez/

e-mail: diego.r.lopez@telefonica.com
Mobile:  +34 682 051 091
----------------------------------

On 13/05/2022, 10:20, "Add on behalf of Eliot Lear" <add-bounces@ietf.org on behalf of lear@lear.ch> wrote:

    Hi,

    On 05.05.22 21:57, Paul Wouters wrote:
    > The only real solution I see is one similar to the IKEv2 split-DNS case,
    > one where there is basically an authenticated and authorized
    > provisioning step that enables the user to join an "enterprise network"
    > wich can demand all or a subnet of DNS traffic which the user is required
    > to opt-in to. And even that is tricky when a user is kinda forced to
    > accept to get any connectivity, say in a hotel or coffeeshop (or
    > repressive regime)

    I think you are aiming at the fundamental problem, Paul: is there a way
    for the user to decide who to trust.  Ben's pointed out the UX problems
    with answering that question.  For enterprise assets that clearly has to
    be the enterprise.  The only question really is how to bootstrap trust
    in the enterprise.  Any draft trying to address split DNS has to assume
    that has happened.  That part can't be in scope here.

    What this or any draft has to do is be a bit clearer in stating that and
    then show how that bootstrapping of trust is leveraged to address split
    DNS, either via resolver selection at a gross or fine level, or through
    other means.  Right now I think it is trying to demonstrate that through
    multiple mechanisms, and that is what is making things rather hard to
    follow.  That's because there is no one-size-fits-all solution because
    enterprises come in many shapes and forms.  To some, leaking a modest
    amount of NS records is okay.  The pollution argument you raise is only
    relevant in as much as domains outside the enterprise control would be
    polluted.  If that's not the case, then it's a matter for an enterprise,
    and nobody else's business.

    So I support adoption of this draft, but I do think it needs a lot more
    work to be clearer on the bootstrapping that is occurring.

    Eliot




________________________________

Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.

The information contained in this transmission is confidential and privileged information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição