Re: [Add] draft-reddy-add-enterprise-split-dns, was Re: ADD Calls for WF Adoption
tirumal reddy <kondtir@gmail.com> Mon, 18 October 2021 06:25 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35F483A11DC for <add@ietfa.amsl.com>; Sun, 17 Oct 2021 23:25:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AhtgX0YVMJeY for <add@ietfa.amsl.com>; Sun, 17 Oct 2021 23:25:13 -0700 (PDT)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99FCC3A11DB for <add@ietf.org>; Sun, 17 Oct 2021 23:25:12 -0700 (PDT)
Received: by mail-lj1-x230.google.com with SMTP id 145so6981619ljj.1 for <add@ietf.org>; Sun, 17 Oct 2021 23:25:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Z9mLlM/7Ix3oHsiY4eSKXKZJyCgv9vgVv9kFl6Nym+M=; b=pRmaszBYNiR4JzIhag1VVSdw54i0xMjQ1uQWTwYDk51TLkJZlVU1beEbNlmP276n67 CovrDwgBDP4+9kZcHm1sSrrb0jTcyXPi+KmmGC67ZU2ks5dzVH61jLIz9sjHdmzGTa8x aftL8hGuMAwIy1rKId6tBHA0XiPe/o84Bls5xZ03On/ee3fBXbgg+s1Dg3OdTgLQBQvV ozXsF7XCRpg2sk7RNxvEUGuLMj4X1JaW/aNS+5wQuuEpK+Wr+2h8ZlQhKRH43sup67Bx QD9SsEIfG3a4YgRbkmFHOwQ6RFTHVXV1ZmMCiugdTraF4iW5FNl0qj0K6VYaoC0P27ea MN0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Z9mLlM/7Ix3oHsiY4eSKXKZJyCgv9vgVv9kFl6Nym+M=; b=HAcoXafDJ1q2Mb7LH4nyjulHqL4wi9xMI5pCOFE7UwrospIlIyaIpC3k0xlKM5Tt69 EFuWNJ0gQpV1J7GpRri9T8HibpZE+kTDYX6e41xiAb6KmunGMSvUhU7Nx3BATD5MDyVe zFrUrPjDa4FBRftuDj7N5ni+ID4S5Pk9edTZFoRAfva9QoVwzT4mCdhI/RoMnrs3Hkz/ a6LZmVmoUGGgvmDx0qW5WzFzqZFqiRu0LjhBxLzKiMhgMFrbMRSNjJWcWYKtHVPIwEcj eCI6TIE51vylJiA+YsGJmMxH9QeqecBHSsuf/ypK6BX5uyilQYa/KtXqfDdvTq3y+n+G 4J9A==
X-Gm-Message-State: AOAM531fIcFCL/qgfBJCgrmk8Nd0FvcR5OXozt00pVW7yr/yrbiwdZbM k5wG8SK2VJrktRTM1iJE0K6oQ+H19G5shqJ3EKQ=
X-Google-Smtp-Source: ABdhPJy+3zUxolJrl1TJeNkf72hngOEdCeP5TDdGisQOp+bOmBSBnAW3KftcBgu3+GcvkS7STMGsMN19vd8WmlMJc5Y=
X-Received: by 2002:a2e:a584:: with SMTP id m4mr30522882ljp.489.1634538310575; Sun, 17 Oct 2021 23:25:10 -0700 (PDT)
MIME-Version: 1.0
References: <2B5040C6-5A70-4DE6-ADF1-056D5CB0B524@comcast.com> <338d8ed-6712-227b-e4d-6e4d603be5c4@nohats.ca> <CAFpG3gduOGypj7RLddy-nneM53ZGXsK1mSJ8iHhx_sRXYxRF=A@mail.gmail.com> <8653ebda-a79b-1323-5374-776af6785025@nohats.ca> <9BA207BE-D6A6-40F8-8EA5-3766B7B29D0E@apple.com> <CABcZeBO_QByrV5Rh0j5o3oA5FdvMSUiqJa9trhXxov9QKxJg2g@mail.gmail.com>
In-Reply-To: <CABcZeBO_QByrV5Rh0j5o3oA5FdvMSUiqJa9trhXxov9QKxJg2g@mail.gmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Mon, 18 Oct 2021 11:54:59 +0530
Message-ID: <CAFpG3gdP37VKOauTUExvUYJBLyeJHu=XqRO0jq=+xRRYDstTNw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>, "Deen, Glenn" <Glenn_Deen=40comcast.com@dmarc.ietf.org>, "add@ietf.org" <add@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005fa9e205ce9a9be0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/Lj9DEWgpMrtK4ehco8146pFvVVU>
Subject: Re: [Add] draft-reddy-add-enterprise-split-dns, was Re: ADD Calls for WF Adoption
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Oct 2021 06:25:20 -0000
Hi Eric, Please see inline On Sat, 16 Oct 2021 at 04:31, Eric Rescorla <ekr@rtfm.com> wrote: > I'm actually trying to work through the logic of this. As I understand > it, suppose that I control example.com and I want to have it be split, > I would do two things: > > * Publish something like the following in the dnsZones key. > > { "identifier": "ns1.example.org", "dnsZones" : ["example.com"]} > > * Publish an NS record for "example.com" pointing to "ns1.example.org" > > Note that the text doesn't seem to say that the "identifier" field > reflects the server, so I'm kind of guessing here. > The "identifier" field should match the PVD FQDN conveyed to the endpoint in the PVD RA option (see https://datatracker.ietf.org/doc/html/rfc8801#section-3.1). The client establishes HTTPS connection to the PVD FQDN to retrieve PVD additional information including dnsZones and prefixes. The client will learn the network-designated resolver "ns1.example.o <http://ns1.example.com>rg" using the RA option defined in draft-ietf-add-dnr. > > > A client which is conformant to this draft: > > 1. Looks up the NS record for example.com using a public > resolver (step 1) > 2. Sees that it matches "ns1.example.org" (step 2A) > 3. Connects to ns1.example.org 2(B). If that succeeds, then it > uses ns1.example.org to resolve example.com. > > Do I have this right? > Yes. > > > Assuming this is so, how does the client learn the IP address for > ns1.example.org? Ordinarily this would be a glue record when it > retrieved the NS records. Is that what happens here? > The client will learn the IP addresses of ns1.example.org using the RA option defined in draft-ietf-add-dnr. -Tiru > I've got some more questions, but I'll stop now and get back to > them once I understand if this is right. > > -Ekr > > > > > On Fri, Oct 15, 2021 at 3:21 PM Tommy Pauly <tpauly= > 40apple.com@dmarc.ietf.org> wrote: > >> I agree with the sentiments being expressed on list that this document >> isn’t quite ready to adopt in this form. >> >> There’s something here, but the problem being tackled here is larger than >> enterprise networks, and even split-DNS local network configurations. The >> use case for enterprise networks is a valid driver of the problem, but I >> don’t think we can solve it without addressing the problem of proving a >> relationship between a set of domains and a Provisioning Domain (where that >> domain can imply a set of DNS resolvers and even network paths that are >> correct to use). VPNs do solve this nicely today, but we are missing the >> mechanism to this in a trusted way without a VPN or managed configuration. >> >> The core idea about identifying that a resolver is the “right one” was >> also one of the goals the work around our “adaptive DNS privacy” was >> centered around ( >> https://datatracker.ietf.org/doc/html/draft-pauly-add-resolver-discovery-01#section-3.2). >> In that, the client would have discovery using PvDs, and could confirm the >> designation of a resolver by the domain owner by looking at a web-fetched >> PvD file off of the apex domain for the zone. That was a different use >> case, but I think it shows that the space of solutions we can use to >> associate domains is broad. >> >> Thanks, >> Tommy >> >> On Oct 14, 2021, at 10:18 AM, Paul Wouters < >> paul.wouters=40aiven.io@dmarc.ietf.org> wrote: >> >> On Thu, 14 Oct 2021, tirumal reddy wrote: >> >> Thanks for the review. The split-horizon DNS configuration is not >> specific to Enterprise networks and is applicable to other types of >> networks offering >> private domains. The draft does not make any assumptions whether the >> network is Enterprise or not based on the WiFi authentication mechanism. >> >> >> That is not the traditional way of defining an "enterprise network". >> Also, the document _does_ define it: >> >> The term "enterprise network" in this document extends to a wide >> variety of deployment scenarios. For example, an "enterprise" can be >> a Small Office, Home Office or Corporation. >> >> It is not at all obvious that we can encounter this protocol at >> coffeeshop and hotel wifis, which have a strongly different security >> context from corporate enterprises (small or home or large) >> >> I can ignore the "enterprise" in the draft name, but not the definition >> in the document with the security aspects of the protocol. So in that >> way, my raised issues still apply and have not been addressed. >> >> This document can say that this is for "enterprise" networks, but an >> enduser does not know when it is connecting to an enterprise network >> or >> not. Even if it does, it is unclear why the user should trust a list >> of >> domains to "give away" to the local resolver. Should a Google Wifi >> at a >> Starbucks be able to redirect gmail.com ? Should "coffee.com" be >> able >> to be redirected by a Starbucks Wifi? Or by Java House Inc ? Who even >> is coffee.com? Can humans even made these kind of decisions? And if >> humans can't, do we think we can teach algorithms this ? >> The network-designated resolver must prove authority over the domains as >> discussed in >> >> https://datatracker.ietf.org/doc/html/draft-reddy-add-enterprise-split-dns-06#section-4.1, >> otherwise, the client will not use the network-designated >> resolver to resolve the domains in the "dnsZones" key. Most importantly, >> the mechanism proposed in the draft does not require any end-user >> intervention to >> determine authority over the domains. >> >> >> Can you please give me (or better yet, in the document) and complete >> example of the queries and responses sent? Because I still feel there >> is a chicken and egg problem here. The location of PvD related to the >> domain names in particular is what I don't understand. >> >> Retrieving the additional PvD information using an HTTPS server is >> discussed in https://datatracker.ietf.org/doc/html/rfc8801#section-4.1 >> . >> >> >> I read that part, but it does not explain it to me well enough to >> understand: >> >> When the H-flag of the PvD Option is set, hosts MAY attempt to >> retrieve the PvD Additional Information associated with a given PvD >> by performing an HTTP-over-TLS [RFC2818] GET query to "https://<PvD- >> ID>/.well-known/pvd". Inversely, hosts MUST NOT do so whenever the >> H-flag is not set. >> >> What is the relationship between PvD-ID as FQDN and the domain names >> (plural!) that I'm asking authentication of? Can I send a PVD-ID H-flag >> pointing to pvd.nohats.ca? That would list "gmail.com" ? Please clarify >> the relationship between the internet-reachable PvD domain name and the >> target list of domain names the network wants to take over. Then also >> tell me how that would work for 50000 starbucks wifi networks? >> >> Section 4.1: >> >> To comply with [RFC2826] the split-horizon DNS zone must >> either not >> exist in the global DNS hierarchy or must be authoritatively >> delegated to the split-horizon DNS server to answer. >> >> I am unsure how this "authoritatively delegated to the split-horizon >> DNS >> server" works? Unless it means "single public reachable DNS server >> with >> bind views". I don't think these two methods would cover most of the >> split DNS zones currently deployed. I think RFC2826's advise in >> practise >> is a ship that sailed a long time ago. This is again an important >> issue, >> because it is the base of trust going forward. The client will >> receives >> answers it has to trust, but I don't see the full verifiable linked >> chain >> clearly. I am not sure if that is due to the document text or my >> understanding of it. >> >> >> You did not answer this question. >> >> The client sends an NS query for the domain in DnsZones. >> This >> query MUST only be sent over encrypted DNS session to a >> public >> resolver that is configured independently or to a network- >> designated resolver whose response will be validated using >> DNSSEC >> as described in [RFC6698]. >> >> I have strong objections to treating DNSSEC validation and >> "outsourced >> DNS validation over secure transport" as equivalent. Transport >> security >> is not data origin protection. >> Good point, we will update the draft to clarify that a DNSSEC validating >> client will apply the same validation policy to the NS query as it does to >> other >> queries. >> >> >> that would improve things, but still leave this authentication method >> between starbucks consumer and starbucks provider to whatever thid party >> DNS server the consumer has installed, and requires that this third >> party DNS is reachable. If it is not reachable (eg lets say DoH and DoT >> is blocked) then this requrement fails. What does a client then do? Use >> regular port 53 from the local network? Refuse to send the query and fail? >> If the latter, then I can censor newyorktimes.com simply by adding it to >> my dnsZones and blocking all known DoT/DoH servers. In other words, this >> part of the protcol implies to do something security related, but it >> does not actually seem to add security AND it potentially adds a denial of >> service vector. >> >> This statement has the underlying claim >> that the outsourced DNS query to a public DNS server over TLS is >> equivalent to a DNSSEC protected query (over TLS or not). It is not >> equivalent. I have concerns about TRR and ADD type DNS resolvers >> getting >> mandated by nation states as internet entry points, and ADD really >> helps >> building such a censorship infrastructure. >> The client would use the proposed mechanism only if it is configured to >> use a DNS resolver not signalled by the network (e.g., the endpoint is >> configured >> to use VPN or a public resolver). If the client is using DNR/DDR to >> discover and use the network-designated resolvers, it does not have to use >> this draft >> and the split-horizon domains will be resolved by the network-designated >> DNS server. >> >> >> We are saying the same thing. Imagine Badcountry says "configure TRR to >> IP a.b.c.d" or else. And now this whole protocol is triggered with their >> potential impact with the (wrong) assumption that this is something the >> user opted in to but are actually forced in to. Our goal should be to >> make this as least attrictive to censors as possible. >> >> One MUST be able to require >> DNSSEC to ensure domain owners keep control of their domain and not >> lose >> it to a nation state with bad intensions. >> If the client is using a public resolver, it is anyway receiving all the >> queries from the endpoint including the queries for private domains and the >> bad >> public resolver can do a lot more damage than lying about the >> non-existence of a domain. >> >> >> It is not the public resolver that is the issue here, but the local one. >> Say my company uses DNSSEC to protect "nohats.ca" and now I'm going to >> the office, and connect to the split-dns. I wouldn't want to degrade the >> security to non-dnssec just because I cannot get the split DNS trust >> anchor for "nohats.ca" within this office in Toronto (which on top of >> things might also be differet from the split DNS trust anchor in use by >> my office in Helsinki). How can I get DNSSEC to work for "nohats.ca" in >> the split view DNS at various offices ? I see no capability in the >> protocol for this, so using this protocol always causes a downgrade from >> DNSSEC to non-DNSSEC. >> >> The client checks that the NS RRset matches any one of the >> ADN of >> the discovered network-designated encrypted DNS resolvers. >> >> Which NS RRset is it supposed to check? The RRset at the parent >> (unsigned!) or at the child (validatable). Current practise already >> sees so many mismatches between these two (called lame delegations) >> that I think this cannot be used by the ADD client to determine >> applicability unless there is a Section of test clarifying what it >> should do with respect to different NS RRsets. >> The client will have to check the NS RRset at the child and not at the >> parent level. We will update the draft for better clarity. >> >> >> So all offices of "nohats.ca" worldwide have to use the same single >> "discovered >> network-designated encrypted DNS resolvers"? Because they will all get >> the same answer from public DNS ? This would be hard to impossible to >> manage for global companies with different IT departments in each >> country or city. >> >> If the match succeeds, the client can then establish a secure >> connection to that network-designated resolver and validates >> its certificate. >> >> I guess it cannot build a secure connection _until_ it has validated >> its certificate? There are subtle implications here, as in the >> connection cannot be blindly used, it must first go from unvalidated >> to validated before it is available. >> Sure, we will fix the above line as follows: >> If the match succeeds, the client establishes a TLS connection to that >> network-designated resolver and validates the server certificate exchanged >> during >> the TLS handshake. >> >> >> How does it validate the TLS certificate ? I don't think TLSA because >> again that would be available only on 1 version in the world view, but >> ns.toronto.nohats.ca might not exist in the worldview if >> toronto.nohats.ca is the split dns name to begin with ? And the network >> is likely on private IP space and we can't look up things there? That >> leaves webpki but how are those going to validate private IP or >> non-public names ? >> >> As an exception to this rule, the client need not perform the >> above validation for domains reserved for special use >> [RFC6761] >> or [RFC6762] such as ".home.arpa" or ".local". >> >> What about those split DNS worlds that use .local locally. There are >> many. Should all of them skip validation? That is a security issue >> that should be addressed in a better way. >> I don't get the above comment, please elaborate on the need to perform >> the validation for .local domains. >> >> >> I believe it was Microsoft who recommended companies use ".local" or >> ".corp" for their internal domain name. This document saying to skip >> validation on those means these names cannot be securely used for split >> DNS. >> >> For example, if in a network the private domain names are defined >> under "internal.corp1.example.com". The DnsZones PvD Key would >> indicate that "*.internal.corp1.example.com" are private domain >> names. The client can trigger a NS query of >> "internal.corp1.example.com" and the NS RRset returns that the >> nameserver is "ns1.corp2.example.com". The client would then >> connect >> to the network-designated encrypted resolver whose name is >> "ns1.corp2.example.com", authenticate it using server >> certificate >> validation in TLS handshake, and use it for resolving the >> domains in >> the subtree of "*.internal.corp1.example.com". >> >> It is unclear to me where the PVD Key (PVD ID, aka FQDN) for this >> domain >> should be "found" ? See my comment above? It cannot be on the >> internal >> resolver, that has not been approved yet as valid. Should it be done >> on >> the public one? But then all split zones need to coordinate (eg all >> *.starbucks.com need to link their coffeeshops to the same public >> PVD >> info?). I don't fully understand the bootstrap here, and cannot >> determine >> its security. >> >> >> You did not answer this question, which is my biggest question actually >> as the mapping between PvD domain and dnsZones entry is what I don't >> understand. >> >> Security Considerations section: >> >> As an additional precaution, clients may want to preconfigure >> global >> domains for TLDs and Second-Level Domains (SLDs) to prevent >> malicious >> DNS redirections for well-known domains. >> >> This seems like a really big deal. It kind of says this mechanism >> cannot >> be fully trusted. Preconfiguration of "well-known domains" in >> internet >> protocols is very damaging to the decentralized nature of the >> internet - >> it creates first and second class citizens/domains. If the draft >> cannot >> address this problem, I would be tempted to look for alternative >> solutions >> that stand on their own protocol without hardcoded lists. >> No, the mechanism discussed in Section 4.1 is required to determine if >> the network-designated encrypted resolver is authoritative over the domain >> in >> DnsZones. The well-known domains are only used as a first line of defense >> to detect if the network is lying. >> >> >> Either your method is secure, and this "additional precaution" is not >> providing security and should be removed, or it does provide some >> security, in which it is hiding a fundamental flaw in the security >> properties of this protocol. >> >> Paul >> >> Cheers, >> -Tiru >> >> >> I think this document is using "enterprise deployment" in too easy a >> way. WPA2 Enterprise is deployed by coffee shops, so the protocol >> specifications says nothing about the how the protocol will be used. >> So to me, this protocol is "Access Point split DNS", and I have to >> figure out if the access point is trusted or not. It seems that the >> validation of this depends strongly on being able to reach public DNS >> servers, which is often not the case. For example ISP redirectin of >> 8.8.8.8 to their own servers, country level blocking of public DNS >> for censorship reasons, etc. >> >> I am still not convinced that any client (browser) should ever enable >> any of this (ADD) for their own security. In fact, I would almost >> argue >> that setting up an IKEv2 VPN _just_ for configuring DNS using RFC >> 8598 >> would be a better solution. It would require an explicit trust >> relationship between client and network, installed with consent of >> and by >> the enduser, and would be limited to the security considerations of >> RFC >> 8598. And it would support internal zones with their own DNSSEC keys >> different from the public zones. Of course, I don't want to securely >> provision my phone or laptop for all the coffeeshops brands in the >> world, >> so we need something better. But so far, I don't think this draft is >> providing me with a strong alternative solution for reconfiguring >> part >> of my DNS. >> >> Paul >> -- >> Add mailing list >> Add@ietf.org >> https://www.ietf.org/mailman/listinfo/add >> >> -- >> Add mailing list >> Add@ietf.org >> https://www.ietf.org/mailman/listinfo/add >> >> >> -- >> Add mailing list >> Add@ietf.org >> https://www.ietf.org/mailman/listinfo/add >> >
- [Add] ADD Calls for WF Adoption Deen, Glenn
- [Add] draft-reddy-add-enterprise-split-dns, was R… Paul Wouters
- Re: [Add] draft-reddy-add-enterprise-split-dns, w… tirumal reddy
- Re: [Add] draft-reddy-add-enterprise-split-dns, w… Paul Wouters
- Re: [Add] ADD Calls for WF Adoption Martin Thomson
- Re: [Add] draft-reddy-add-enterprise-split-dns, w… Tommy Pauly
- Re: [Add] draft-reddy-add-enterprise-split-dns, w… Eric Rescorla
- Re: [Add] draft-reddy-add-enterprise-split-dns, w… Michael Richardson
- Re: [Add] ADD Calls for WF Adoption Michael Richardson
- Re: [Add] draft-reddy-add-enterprise-split-dns, w… Tim Wicinski
- Re: [Add] ADD Calls for WF Adoption Steffen Nurpmeso
- Re: [Add] draft-reddy-add-enterprise-split-dns, w… tirumal reddy
- Re: [Add] draft-reddy-add-enterprise-split-dns, w… tirumal reddy
- Re: [Add] draft-reddy-add-enterprise-split-dns, w… tirumal reddy
- Re: [Add] draft-reddy-add-enterprise-split-dns, w… tirumal reddy
- Re: [Add] draft-reddy-add-enterprise-split-dns, w… tirumal reddy
- Re: [Add] draft-reddy-add-enterprise-split-dns, w… Michael Richardson
- Re: [Add] draft-reddy-add-enterprise-split-dns, w… Paul Wouters
- Re: [Add] draft-reddy-add-enterprise-split-dns, w… Paul Wouters
- Re: [Add] draft-reddy-add-enterprise-split-dns, w… Vittorio Bertola
- Re: [Add] draft-reddy-add-enterprise-split-dns, w… tirumal reddy
- Re: [Add] ADD Calls for WF Adoption Jim Reid
- Re: [Add] ADD Calls for WF Adoption Eric Rescorla
- Re: [Add] ADD Calls for WF Adoption Martin Thomson
- Re: [Add] ADD Calls for WF Adoption Diego R. Lopez
- Re: [Add] ADD Calls for WF Adoption Geoff Huston
- Re: [Add] ADD Calls for WF Adoption Eric Rescorla
- Re: [Add] ADD Calls for WF Adoption Michael Richardson
- Re: [Add] ADD Calls for WF Adoption Tommy Pauly
- Re: [Add] ADD Calls for WF Adoption Paul Wouters
- Re: [Add] ADD Calls for WF Adoption Vinny Parla (vparla)
- Re: [Add] ADD Calls for WF Adoption Daniel Migault