IETF Logo Mail Archive

Re: [Add] add-enterprise-split-dns and split horizon DNS

"Vinny Parla (vparla)" <vparla@cisco.com> Fri, 03 December 2021 15:29 UTC

Return-Path: <vparla@cisco.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B5633A0B44 for <add@ietfa.amsl.com>; Fri, 3 Dec 2021 07:29:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=jJELgUPQ; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=aoytKzr7
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bABALIx-FjAz for <add@ietfa.amsl.com>; Fri, 3 Dec 2021 07:29:09 -0800 (PST)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1671F3A0B45 for <add@ietf.org>; Fri, 3 Dec 2021 07:29:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8578; q=dns/txt; s=iport; t=1638545349; x=1639754949; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=w/mUGDvvD1yogdMaRLceI+FwZLan9KWUbLcxFcbpXkk=; b=jJELgUPQjC0l+3pOSn3kr1vm1RAYx6v+ixhxOUJYVUuour8+yzgUQc6k Xz4VmdPAwYoK9MZpV/6UaEtuox4U5aWKgN/dVtYtn8j6MLgEeNLf0v4NJ JKwZs7zi5noB1c8X2L+2D9FIPUZB6465FFc7gODIaGjaKIndHvC8rl0S6 E=;
X-Files: smime.p7s : 3980
IronPort-PHdr: A9a23:5xbCJBZkW+kbGRwIdegsWsr/LTAphN3EVzX9orIriLNLJ6Kk+ZmqfEnS/u5kg1KBW4LHo+lFhOzbv+GFOyQA7J+NvWpEfMlKUBkI2skTlhYrVciCD0CzJfX2bis8ScJFUlIt/3yyPUVPXsjkYFiHqXyp5jlUERL6ZmJI
IronPort-Data: A9a23:b1hUR6s7DQRdIDUvHFEWRoQCcOfnVBhfMUV32f8akzHdYApBs4E2vjNfGTXfaa7OOz2rZJktO86x6Alf7siEipMhHTLYn1l2SnNPpIzdWs/xwizYMijIJ52dFBg2tJ0QNdPNIc45EHbR+0z9a+G88SMlifuDFrSnVOOcMCkvG1I1GS1w2Bxqw7Yy2N450YHmWVPRtLsezyGx1AiNgG8kagop1k6jlP9OlP2rtT9D5VVnP6kasFSOyCkbUMgUevG/dyWhG4VaF7PlbuuSl7vREkE1UPsO5nJJqltwG6Ezaua60TOm1zwGBMBOvjAY/nZri/xjb6JGAatqo2zhc+5ZmY0lWaOYEW/FDoWU8Agse0Ew/xNWZMWqy5efSZSLivF/+mWdG5faL1qCO2ltVWEQ0r4f7WijbpX0IhhVBvyIr7reLL5W1oBRasofwMnDZOvzu1l6xj3fSP0hW52GHuPB5MRT23E7gcUm8fT2PpVCL2EwKkWbJUQSZD/7C7pm9AusrmfneidcoXqepLE85C7YywkZPL3FbouEIo3QGZkE9qqfjiecl4jjOTkTONC3yDeZ/DSrnOCntSbwQsETGaG23uVjhlGewmkaDlsdXDOTrfC/lU+4VPpQLkUV/mwlqq1a3FSiU93VWRq4qWKf+BUVM+e8ucVSBBql0KHY5UOSAXIJC2MHY909v8hwTjsvvmJlVujBXVRH2IB5g1rHnltMkQ6PBA==
IronPort-HdrOrdr: A9a23:egLGyKhOPwfW+mopMte0KxgafHBQX3Z13DAbv31ZSRFFG/FwyPrOoB1L73HJYWgqN03IwerwR5VpQRvnhPlICPoqTMmftWjdySWVxeRZjbcKrAeQYBEWmtQtsJuINpIOdOEYbmIKzPoSgjPIaerIqePvmMvD6IuurAYOcegpUdAc0+4TMHf8LqQCfng/OXNPLuvk2iMonUvFRV0nKuCAQlUVVenKoNPG0Lj8ZwQdOhIh4A6SyRu19b/TCXGjr1cjegIK5Y1n3XnOkgT/6Knmmeq80AXg22ja6IkTsMf9y+FEGNeHhqEuW3bRY0eTFcZcso+5zXQISdKUmREXeR730lEd1vFImjbsl6eO0ELQMkfboW4TAjTZuC6laDPY0LzErXQBepF8bUYzSGqF16Lm1+sMip6jlljpxKZ/HFfOmj/w6MPPUAwvnk2ooWA6mepWlHBHV5ACAYUh4LD30XklW6voJhiKorzP0dMee/309bJTaxeXfnrZtm5gzJilWWkyBA6PRgwHttaO2zZbkXhlxw9ArfZv0Uso5dY4Ud1J9u7EOqNnmPVHSdIXd7t0AKMETdGsAmLATBrQOCaZIEjhFqsAJ3XRwqSHrIkd9aWvYtgF3ZEykJPOXBdRsnMzYVvnDYmU0JhC4nn2MS2AtPTWu4hjDrRCy8jBrYvQQFu+oQoV4rmdSt0kc7nmZ8o=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AHAABWN6ph/5xdJa1aGQEBAQEBAQEBAQEBAQEBAQEBARIBAQEBAQEBAQEBAQGCBQQBAQEBAQsBgVElLgd4LC43MYRHg0cDhFlghQ6DAgOLBpAMgS6BJQNUBAcBAQEKAwEBKgsMBAEBhQUCgxECJTQJDgECBAEBARIBAQUBAQECAQYEgQkThWgNhkIBAQEBAgEBARARHQEBLAsBBAcEAgEIEQQBAQEqAgICHwYLHQgCBAENBQgGDQQDglCCDlcDDhEQAQ6lOAGBOgKKH3qBMYEBgggBAQYEBIULDQuCLgcJgToBgVOBOoQegR6BYIJ3gREnHIFJRIFYgjA3PoIhQgEBgUgaPIJaN4IukGkQK4EaDighFA45PS0jIGCVPolZnnFqCoM/hVODEIF3jkqGChWFOKF/liMfkCaVUQIEAgQFAg4BAQaBYTuBWXAVO4JpCUgZD44gg3KFFIVKdDgCBgEKAQEDCYtVLYIXAQE
X-IronPort-AV: E=Sophos;i="5.87,284,1631577600"; d="p7s'?scan'208";a="699092449"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 03 Dec 2021 15:29:07 +0000
Received: from mail.cisco.com (xbe-rcd-004.cisco.com [173.37.102.19]) by rcdn-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 1B3FT7wj007461 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Fri, 3 Dec 2021 15:29:07 GMT
Received: from xfe-rcd-004.cisco.com (173.37.227.252) by xbe-rcd-004.cisco.com (173.37.102.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14; Fri, 3 Dec 2021 09:29:07 -0600
Received: from xfe-rtp-005.cisco.com (64.101.210.235) by xfe-rcd-004.cisco.com (173.37.227.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14; Fri, 3 Dec 2021 09:29:06 -0600
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (64.101.32.56) by xfe-rtp-005.cisco.com (64.101.210.235) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14 via Frontend Transport; Fri, 3 Dec 2021 10:29:06 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GCOj4SZnPMk0GMImpU6gJIOd38mKsoWLBgp4hKA0nDn8LEXMG2xjV6aGYdS/e09Sv+hY6fY/4qrVbrDOamqw1X0jAxVyTCJzurGaRgBdzecQwQFCLwEK2Dr+DquAKFgIXvxcGEiYfdFnycUOAydOEsog+L98Zc/w5n0n0WN4eMA0waF8VJkYcApDqL6WYDYBgjZf0B6u/5QzNK6WFfXazr7wPp1xPzE7v3w3J8Cvy+AlnoHZHnccIaJ++6ZDWCk+5/MGomMaIHdAp++xFnHHmg+5ENNVt7q52X4W5Ql5+Puwryo4mTk2PDqnQ9IRZgqoloYHZCo/IITLEYd0M0pnhA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DUGcwYvY3clMYexJHSAQPXMfOlTOitw8tgfyJ1jRShM=; b=P2V6C7/FlhsJCIWTEvugD9byid8mWPqmEp2aCUM2jEDLmpjWf9rcYkAunht5y8w8mIyg2uFwj2/eR6b8ntNClvkINheaciJ+kvf9sceZLujTFIeW7PtaEmOd9+NQdlswp4Tj2Y1W5zK5Y5wOjKDqz4KVjiIhUaUkHmwzgk+CVypS4ivnSfjyPsMD2U0pYOotqpw/UTomPN/vBO/Zq2kUCyVP0ln1k7rgHQ6YLEK8Ids1+ulLKDOMBNEE8Rbpgg5OfanY5yPW1xGSv1lho/06Xhczrv+pcDGl2OHVGXdvYMMpYS4aXVAR8EznffyXTxR8qdweMQM3Q+vD63TfC+nOcQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DUGcwYvY3clMYexJHSAQPXMfOlTOitw8tgfyJ1jRShM=; b=aoytKzr7Nc/CjATCTnJVtzO41Zx6ggQ34DYTm/0DpsMkLz384uQJHs2KsCREMBahmKy6vOf+JuCPH6hKeVPg38KuV7ZEVRQpeSP2PkwAXXGydRm7dyVKYfoePSs3X3YAQDEUyLwlkO8SbzDT1fj+2XR93mc+5WwA4qf7MyONN70=
Received: from BN8PR11MB3828.namprd11.prod.outlook.com (2603:10b6:408:89::23) by BN6PR1101MB2228.namprd11.prod.outlook.com (2603:10b6:405:52::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.15; Fri, 3 Dec 2021 15:29:05 +0000
Received: from BN8PR11MB3828.namprd11.prod.outlook.com ([fe80::35db:3a94:b42f:296d]) by BN8PR11MB3828.namprd11.prod.outlook.com ([fe80::35db:3a94:b42f:296d%6]) with mapi id 15.20.4734.028; Fri, 3 Dec 2021 15:29:05 +0000
From: "Vinny Parla (vparla)" <vparla@cisco.com>
To: Paul Wouters <paul@nohats.ca>, Dan Wing <danwing@gmail.com>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, "add@ietf.org" <add@ietf.org>
Thread-Topic: [Add] add-enterprise-split-dns and split horizon DNS
Thread-Index: AQHX57KeISeiWu6HZkymM2tk9CB0Aqwf/7sAgAAMkQCAANh4EA==
Date: Fri, 03 Dec 2021 15:29:05 +0000
Message-ID: <BN8PR11MB3828B96F8820F5602092F38BD86A9@BN8PR11MB3828.namprd11.prod.outlook.com>
References: <60F1A5E0-056F-4B43-B4B9-EDA893ECDAE3@gmail.com> <F8B0007E-0ABC-4E1A-A102-0E53A1451F93@nohats.ca>
In-Reply-To: <F8B0007E-0ABC-4E1A-A102-0E53A1451F93@nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 07686b45-7f00-4cb9-0195-08d9b671a464
x-ms-traffictypediagnostic: BN6PR1101MB2228:
x-microsoft-antispam-prvs: <BN6PR1101MB22284AC10920D51FAB581549D86A9@BN6PR1101MB2228.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: UcNFsS6fdqdJF1yZytR5GX5ZYxt2YWuKU/GstoCqrxM7ITE70KzEf2m6n4hHbpqrh/+htBe8dPtWedVhK9rQE13aABMQfHXwO5OpZy7k4rKbST9TdA0Wygfs1XNPXcUU2D94uGrRRqzFSiQ0eMwaqgyXk9pp6JSsW/nQuue48ds7uIsl5Ycjx/WxEg9g9qLx69tXwZCAqOEvmfJsDFaFULmJPqjAriVmILy8sSRAW2YEGb4pObTpE7S4yFbuSzh7Io7LHkN74uzAvYnFUTNrLAtbHLBEK9jVycfun9q0h7gmBAInvLdFdl1iNa63tZACLwz9t4hQOhyXowz2dH3eEVy+Z/1i7ou3MYlVhrFi5s3vbUGEIaaMkzp3QNawWllQ6RBTgCjZOxxIUaQNnWMBFwsj4BJWu4ZJb7Mxco3DocNrvHJWWBG3qkBTx19vWL4H7StsDLbCGjoS3p5qTHDuNJ1RxwnSm5RboAO3D0MA23lIGyE5vo9D+Y0cDRrk7nvSATHLP0Wx+MOSQFOzNLdfiGmVXafSEhupU55HHnNewaAIF6nCc+KmQJxSK6okLHiamMA1ugByyDzTrsuGn0UzZchWXzN9kGg87Zk9bLkzPbC2eulOzzN1Y9SR+nXFMLleLg+vHDV+Q/8ojoG0JrEj+l3q/9Pka3TwPwIq/jPFBuSiZjm5MdleB/2yQBzdSrnEl1eJr4EujCPnUggb6aGVBchCEURUo338AvXH105vDUfCzjrAHRksVxaIrkQ3RZpQ/LZpeQOP+BrlZLzTRgsllRu31pZbyoT83UD5wssr/G4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN8PR11MB3828.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(38100700002)(66946007)(66446008)(76116006)(66574015)(8936002)(186003)(64756008)(66556008)(66476007)(122000001)(8676002)(26005)(53546011)(6506007)(2906002)(316002)(33656002)(110136005)(71200400001)(54906003)(99936003)(86362001)(508600001)(7696005)(966005)(4326008)(5660300002)(83380400001)(52536014)(9686003)(55016003)(38070700005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: p/t012ryrkR08PmlV1lgM16yX0PzzKZa2w2DbPVmKvw5a6TEvRcpowV7BqBfb7KgH72b3H+dVV8CW3b50cj63bq8RRVwa+Sl2iDzhdW8MP6tgDyjGRwb5NBUphEf3ElMriERXzFTz/1zKD1GMmfmv5LTiraM1lC3i4IP4NoSpcpK4jtXDPioJM757iuf7pQq2MUIAtIKorrDdenzAcOUM67Q2lzJYD+W4JPNnO9XsXS50vM2G90x4QPdlR6Zn5IvOXaf1IcIC0tV3eVg5Cttu3DhLd5LKWwbAICHe2+7VGMwEIln1mcEUeAQm1cylyzkx4ILzu/XuQvNd9/nUDkibhPZGIMLVXhe2VPq7Kzk+S+mAR33tO1n4vs6820JR958UAbV4ub4RUU+/5SpP9Z41OFNj7kXvg6/P3PmoD3NxLDkdPyahud0Q+A/ycs1s32dP7zAV2t0gMtsdA9xiahTaUcKBCx4x93s5VlUoSUqCnfL09GEBz/TohOU+ihFb7rd26JzR1lZT1p5CRl2i61O6FsP7BV5PJynZfk6UxcGpsUcPuE5xcoeEASShy6//njzGJrJVUFyxsnsG7tkVgxJHwcfwXcsIV4Y7DbmkAlVcv2f2IxKG0V2otErKsQ/yl5eK8s9hOODWo4v+54yZZVfGEBmDX5WxwMJUb22S3rrgO9rGguRx0UXUNut0rcNBPPoLvP4FWaEDnCRDruqfgVr62qYdgpgaEW1cDYkNBQOrzhTJI7wVHK+gYeRCSfTywvo3qVyiEbpznmX2R0gp/d1Np6X8gnEeG4DGb7rWR+8zIP2hu9cJ1CwS6lER2DCiT+naH6vfPmjBtzGDjhlAhAalSyUb7Br2Z+57ctUGyK4B1sL+ldTQCNCvpAOyU2qvmuyUsa7qfuXkUPTjKFktu/q7D+9Cbf0F3XQYoY8tgh9Qt888iEbfv6XoomW/xyKjxx9IPu6TO1YLt+14BXAbwM8Ay+OFo5SPVzeRAlX86OOoJO+Es6cVaEHR4GM5o8du75TKPihORoAwbdmbrON77Vse6DwQxO0q9aoHv7Ao32E8LrMAlEarwaBsythtNN22MFc7iANZ2OK5/Dtl4nm2n5fttlZ3Zos09NvvvghFiqza06yjSeQakGW2Lzoly3LSeRgqya1Tu/PeIfCfYBZtVKJ1mHsdwUpyYxAeQHwHyjI+ncW6+OOpWqWFNSpVFq9gt13MCk7QtW07SSX0DPlizQso6Q8Pf0WpBVrw5YOHQoW8F6lqzFkHsDVu6OWklDtzF/0nwk3YCzgruZIccxdi8A+o6GRJ5loy1cLgq0jgXmVbLtiD6k/xRryK0OorVLHBd3bcfP9trZBeaUMylQFyNA3GKvCvYXp4p87Ip4S7ARAxmqAnqMEM5kcTE1KLuY3vgQwA22XxG94NQUQ0WFIbAuCTemC17OUmsuYQsjH3N7gJMGyEf0v5vAkrF0TTtOjxssJfk92j7Z0XiQ6B79EHLNplglM9WKYnIMeJdAVlvoYbOTJgcmllbEjVFnMm2VJKHZYQ2Bevvp49ps+y1+Z+4vGNsH5p6tHF7n+UEtnYdoIfCLn3eVnhj+xiJlrQnjQsWZSUmsBil8FlHd4dpmjqjc5bcot5slwknwLKw93czE+cAY=
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0204_01D7E830.973C1390"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN8PR11MB3828.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 07686b45-7f00-4cb9-0195-08d9b671a464
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Dec 2021 15:29:05.3743 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Bnt9hTcAlQHatpcyHTW5YhTVyF7e+QGsUbr81DpOUfAdjIZLCDeEZi2Qa4K/2IqTHniGCwM09x+dMKqPOFpJYA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1101MB2228
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.19, xbe-rcd-004.cisco.com
X-Outbound-Node: rcdn-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/JGeO8s_XIoNSTZjmEsgJhl9ihY4>
Subject: Re: [Add] add-enterprise-split-dns and split horizon DNS
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Dec 2021 15:29:14 -0000

> The problem remains how to securely receive, validate and authorize a list of domain names that should be resolved via the local network advertised nameserver.

I might suggest the addition to the end of " and only by that nameserver." to address the leakage concerns

-----Original Message-----
From: Add <add-bounces@ietf.org> On Behalf Of Paul Wouters
Sent: Thursday, December 2, 2021 9:31 PM
To: Dan Wing <danwing@gmail.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>; add@ietf.org
Subject: Re: [Add] add-enterprise-split-dns and split horizon DNS

On Dec 2, 2021, at 20:46, Dan Wing <danwing@gmail.com> wrote:
> 
> Split-horizon DNS has the same name on the inside ("private") network as on the outside ("public"), but they resolve to different IP addresses.  

That is one form of split dns. Split simply means there is more than one view that is different.

>  If there is an internal delegation where "corp.example.com" is only resolvable from the inside that is not "split DNS" -- at least, not by my definition.

You seem to be trying to redefine the definition then.

> Such an internal-only delegation is a far easier problem because if the wrong DNS server is queried, it won't have any answer (ignoring data leakage issues of querying the wrong DNS, of course).

That it won’t resolve to anything won’t make the problem easier.

>  Split DNS is complicated because querying the wrong DNS returns the wrong answer and the wrong IP address is either not routable from the Internet or gives the public view of the resource when the "employee" view was desired.

I really would not use this definition of split dns. It will lead to confusion and solutions offered would be incomplete and not cover the actual issues this WG is trying to address.

> I agree the proposal in our document may not be ideal.  During the presentation and Q&A we discussed briefly another approach to test for a squatted domain by using DNSSEC rather than querying a public DNS server.

I don’t think typo squatting is a problem in scope for recursive resolver selection for specific domain names.

The problem remains how to securely receive, validate and authorize a list of domain names that should be resolved via the local network advertised nameserver.

The solution seems to steer towards “putting things in public dns”, which I do not think is the right solution. Defining “internal only domains” as “not split dns” is not a workable solution for this.


Paul
-- 
Add mailing list
Add@ietf.org
https://www.ietf.org/mailman/listinfo/add

v2.23.0 | Report a Bug | By Email