Re: [Add] I-D Action: draft-reddy-add-enterprise-split-dns-08.txt

Ben Schwartz <bemasc@google.com> Sat, 22 January 2022 00:15 UTC

Return-Path: <bemasc@google.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5ADF93A17F8 for <add@ietfa.amsl.com>; Fri, 21 Jan 2022 16:15:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wpQ8740yjSo0 for <add@ietfa.amsl.com>; Fri, 21 Jan 2022 16:15:38 -0800 (PST)
Received: from mail-ua1-x92b.google.com (mail-ua1-x92b.google.com [IPv6:2607:f8b0:4864:20::92b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 134683A17F7 for <add@ietf.org>; Fri, 21 Jan 2022 16:15:38 -0800 (PST)
Received: by mail-ua1-x92b.google.com with SMTP id b16so19816405uaq.4 for <add@ietf.org>; Fri, 21 Jan 2022 16:15:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PBr953uyRccvyBy8zNKlrrqEILISIfQXL/K30qCAwA0=; b=aAjBMil0t/ddO+l6MGN4dpmCD5ocQ7Hd2eXqFa+f77MhAy6Lnn19Tlh8OoM+lqgKwg aKkkEh9AoEvgRdfQcFcvS+WXBmUG0oWibYe5WQTb1i//XcnAY/hfqtPCDRIOp66tJkxL jG390FNim4Ufq3q0sHpVKDhhMToaRbimGkaQg5w+qTXhJqEkF2ZEnZc5Op9mjGUeNqj4 MC/dk1Xz136Yx6MuFaoEUVsh0JcFM1KBMu/5bQFFsltN4KCmPZntORbt6EEssFb0ItQw IXCuu1gemfzJUIhWP97emimYnBwWnbIBrCFaRLpOf6q9Hk3AZUAbj3Y1Fj50pDbF7Ma1 5anQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PBr953uyRccvyBy8zNKlrrqEILISIfQXL/K30qCAwA0=; b=oAwD/ecAqJe4yr+JLrBWEmB/ZGsoDOO2r0nOMqKHLbbXYhp1Qu1I+FPmgCFc5oCdSf kDMaNzkuoiBq4z6YTEYfqbO4BhrXL9EZwrsAmI8zntQxUyiXn0XGMRgs6aQ0k/Ncarpm ogFC2UBbYUImz5wcL5umIanKVbp9LtYjeSjMw6smZkMGyoxkfhfWiaiI7Of/NjSMTvJI fCakS7KHglpMi2m7HTecNiHA1KEvI3rsvOhzqBnwsTr1L8Q6btsFRkMVq6a0cAC2Ggt0 KGA1jgFT7+9Zp2zFkGmkE0uJJSct31hIC3VvTg829s7rBjaeu5O8H+y65CZbUpdQJV3V x1CA==
X-Gm-Message-State: AOAM5302CHU670g34pRH9ssNTRE8EBCkNGueA6P2nFmD+f9uazfA+5cD vHP/Oes8gFblY7oR0m2Qkxd86xr/fFKTGWWvQtPj/g==
X-Google-Smtp-Source: ABdhPJwqT5HVDs+Tq55Ez3hBJUj1XJUoEzNuAXWebUYACl85kJudkUD8xjK6LT+HgdB4U6cSAUNUZIgnUIhXPZCZuyc=
X-Received: by 2002:a67:dc90:: with SMTP id g16mr2727823vsk.15.1642810536011; Fri, 21 Jan 2022 16:15:36 -0800 (PST)
MIME-Version: 1.0
References: <164273967921.28045.13105308218406662743@ietfa.amsl.com> <CAFpG3geerJH+jWEZpZnHJpEFcOr+81WyOFvWoAaHmR6N4jBZyg@mail.gmail.com> <4182fe-1e8-ef1-d3e5-75b17da23b9e@nohats.ca>
In-Reply-To: <4182fe-1e8-ef1-d3e5-75b17da23b9e@nohats.ca>
From: Ben Schwartz <bemasc@google.com>
Date: Fri, 21 Jan 2022 19:15:25 -0500
Message-ID: <CAHbrMsBvy6F05y+rXzS+KtpOCn4+RCcJnjLdduHfdz8ENCOQzw@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: tirumal reddy <kondtir@gmail.com>, ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006eeef805d620a2ff"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/KOxtpXADnp2aoicquAFLiEVsdKs>
Subject: Re: [Add] I-D Action: draft-reddy-add-enterprise-split-dns-08.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Jan 2022 00:15:42 -0000

On Fri, Jan 21, 2022 at 4:23 PM Paul Wouters <paul@nohats.ca> wrote:

> On Fri, 21 Jan 2022, tirumal reddy wrote:
>
> > We published -08 version of Split-Horizon DNS Configuration draft
> >
> https://datatracker.ietf.org/doc/html/draft-reddy-add-enterprise-split-dns-08
> > based on WG feedback from IETF 112.
> >
> > Key changes are:
> >
> >    *  Restricted the scope of the document to split-horizon DNS names
> that are properly rooted in the global DNS.
> >    *  Added new terminology of hybrid resolver/client, authorised split
> horizon and domain camping
> >    *  Added DNSSEC to confirm authority over the split-horizon domains
>
> I am not sure if reducing the scope of split-dns is the way forward. A
> lot of split DNS is specifically for internal only domains, so I feel
> this document is now going to be very confusing for offering a split-dns
> solution without actually offering a split-dns solution.
>

I'm not sure what you mean by "internal-only domains".  To be clear, a
domain like "asdf.corp.example.com" is "properly rooted in the global DNS"
if it is done with the permission of "example.com", even if "
asdf.corp.example.com" is NXDOMAIN on the public internet.

What's newly excluded in this draft are domains like "example.faketld",
i.e. names whose parent (in this case the root) did not give permission for
this use.

...

> If DNSSEC is required for split-dns, then it is also very conceivable
> that DNSSEC is used for the internal domains. For IKEv2 split-dns we
> offered the option to signal DS/DNSKEY's for the internal view. I don't
> think any of the add related drafts offers this option? If I missed it,
> please let me know how a client that decides to pick "example.com"
> resolving via the internal view of the split, can obtain the required
> DS/DNSKEY's of those internal zones ?
>

I don't understand the question.  These names are properly rooted in the
DNS, so DNSSEC validation of signed zones proceeds as usual, without any
need for additional trust anchors.