Re: [Add] I-D Action: draft-reddy-add-enterprise-split-dns-08.txt
Ben Schwartz <bemasc@google.com> Mon, 24 January 2022 15:58 UTC
Return-Path: <bemasc@google.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D6793A0C06 for <add@ietfa.amsl.com>; Mon, 24 Jan 2022 07:58:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.598
X-Spam-Level:
X-Spam-Status: No, score=-17.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id apwYqzd1Qo4t for <add@ietfa.amsl.com>; Mon, 24 Jan 2022 07:58:18 -0800 (PST)
Received: from mail-vk1-xa31.google.com (mail-vk1-xa31.google.com [IPv6:2607:f8b0:4864:20::a31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A167F3A10EB for <add@ietf.org>; Mon, 24 Jan 2022 07:58:18 -0800 (PST)
Received: by mail-vk1-xa31.google.com with SMTP id n14so10399312vkk.6 for <add@ietf.org>; Mon, 24 Jan 2022 07:58:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Dyl5TEWkqoCA0lg18gmirP9VXl6bQDfKZLUI5etsYmo=; b=fW9Q8oRuwBB3p94+K9FM6+idq9NpUBQvf94f8e41QG3MKlV/rdEl97KcgUjQa2RWY5 3ncuTuiv+77pcnajxX8Y4JwBS1QVpW978dgC8WD92sU5MeV6RreCL9QdlftMKHqvarXr MtmUvxB3pzrnIW5FTqt5Aa6wtrlKiw+Fuu7freNJnVDzJVd9w1+qkfA/GfR7+N67dPpm Krctdog3FGcOv5SgNpj8AU6qYKQBfFlUwOZcIImeNDZ8kGOXZD433NV5bXrgUlQFhxtH dC/xBQKc8WSIP/e0DheVjb+iMOX3kv4t3eFdJB/KvqsJeox15fSD/nsZxLNnPqBiL6yy P/lA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Dyl5TEWkqoCA0lg18gmirP9VXl6bQDfKZLUI5etsYmo=; b=qpUwUwabNSk5cjwF+BKvqmFwSkts3W1fs+nwbZU8w1dHKA2fxCEZZWJtRdsp6OMIOI 9NmREolAx6TwgC484xYw+CVU9KpCyTWDTsbUlqWIZmWW4KvXfXT5KtLDS9oMsOevjSUQ YZYdCMl/+GuAiZklmIMVcfDOo4tamsdBfxkdC34U3oENtBmEN8liZTt28aB1uNJ86F6J EM1U/kFMPQ4YKpY8O3L8V+MS6iRMnOqz99iJJuJgbY4BoJQcY22ABvaLvwfaoYXVpRiz xVVo089dVjasVnpdyZu3YsycQBcpkYr/oPgh1gLwhIjsR/pWZ56epPDQ1rZqafcO5+l/ 476g==
X-Gm-Message-State: AOAM532R2dZjFy7gQyoR775FTVK2/JV3Jx5QZjVVDx77RAqDo36vSE44 N2aKe/uu19HM14+5wYbncbynhehesU2QhJRGXNm9ng==
X-Google-Smtp-Source: ABdhPJwTlO9i/vTNMSlRxQxsfBQakhui1iA0xWwnTLLc1nKS9nSjE6fjrH6w9oZm0TKc56fHeg5WJTxffPfUf1pJZPM=
X-Received: by 2002:a1f:1609:: with SMTP id 9mr5787895vkw.18.1643039896530; Mon, 24 Jan 2022 07:58:16 -0800 (PST)
MIME-Version: 1.0
References: <164273967921.28045.13105308218406662743@ietfa.amsl.com> <CAFpG3geerJH+jWEZpZnHJpEFcOr+81WyOFvWoAaHmR6N4jBZyg@mail.gmail.com> <4182fe-1e8-ef1-d3e5-75b17da23b9e@nohats.ca> <CAHbrMsBvy6F05y+rXzS+KtpOCn4+RCcJnjLdduHfdz8ENCOQzw@mail.gmail.com> <15222769-7BD4-49D4-AC67-DAD86191DB6E@fl1ger.de> <CAHbrMsDDjvkBBAQnANPC0ENktNdsuf7yuVRu9W43y9UNqZP1fw@mail.gmail.com> <8DA1814C-FA1C-49DD-986D-315865D44E5C@fl1ger.de>
In-Reply-To: <8DA1814C-FA1C-49DD-986D-315865D44E5C@fl1ger.de>
From: Ben Schwartz <bemasc@google.com>
Date: Mon, 24 Jan 2022 10:58:05 -0500
Message-ID: <CAHbrMsAm1LzxXVVNyuwYDP69NBCXeNQV6DT5NjZebY2ZSPTerQ@mail.gmail.com>
To: Ralf Weber <dns@fl1ger.de>
Cc: Paul Wouters <paul@nohats.ca>, ADD Mailing list <add@ietf.org>, tirumal reddy <kondtir@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000062d8c405d656093a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/Pq2jPdH8hkDmjtuOe_HFkDdtMRs>
Subject: Re: [Add] I-D Action: draft-reddy-add-enterprise-split-dns-08.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jan 2022 15:58:24 -0000
On Mon, Jan 24, 2022 at 10:45 AM Ralf Weber <dns@fl1ger.de> wrote: > Moin! > > On 24 Jan 2022, at 16:20, Ben Schwartz wrote: > > I think this is fine. You just publish DS records for both the internal > > and external DNSKEYs. Validation will then succeed for records signed by > > either key. > But then I give away that corp.example.com exists and that it has a > DNSKEY. > If you don't want "corp.example.com" to be mentioned publicly, then your internal resolver has to "claim" example.com. Assuming all zones are signed, you can do this either by signing a pair of conflicting records (an external NSEC denying corp, and an internal DS delegating corp) with the same key, or you can publish two DS records in the "com" zone (for the internal and external keys). (As Ted said, in my examples I've been assuming that the "corp" label is public, and any "hidden" names are under "corp", but the logic is the same if we go up one label.) >> Also keep in mind that if > >> corp.example.com > >> is NXDomain externally you need a special/different > >> example.com > >> internally to delegate corp.example.com. > >> > > > > Agreed. The claimed zone (which could be "example.com" or " > corp.example.com") > > must resolve differently internally and externally, or you haven't > actually > > "split" anything. > I have. example.com is different externally then internally. Externally > it is > missing the corp.example.com delegation. > Yes. >> I’ve always envisioned DNSSEC split horizon needing an internal trust > anchor > >> because of this ideally in the recursive resolver and stub resolver. > >> > > > > I don't think there's any need for a separate trust anchor. > In the above example there is, as corp.example.com does not exist in > public space > or are you saying that the case I described is not split DNS? This is split DNS, but there's no need for a separate trust anchor.
- [Add] I-D Action: draft-reddy-add-enterprise-spli… internet-drafts
- Re: [Add] I-D Action: draft-reddy-add-enterprise-… tirumal reddy
- Re: [Add] I-D Action: draft-reddy-add-enterprise-… Paul Wouters
- Re: [Add] I-D Action: draft-reddy-add-enterprise-… Ben Schwartz
- Re: [Add] I-D Action: draft-reddy-add-enterprise-… Ralf Weber
- Re: [Add] I-D Action: draft-reddy-add-enterprise-… Michael Richardson
- Re: [Add] I-D Action: draft-reddy-add-enterprise-… Paul Wouters
- Re: [Add] I-D Action: draft-reddy-add-enterprise-… Ben Schwartz
- Re: [Add] I-D Action: draft-reddy-add-enterprise-… Ben Schwartz
- Re: [Add] I-D Action: draft-reddy-add-enterprise-… Ralf Weber
- Re: [Add] I-D Action: draft-reddy-add-enterprise-… Ted Hardie
- Re: [Add] I-D Action: draft-reddy-add-enterprise-… Ben Schwartz
- Re: [Add] I-D Action: draft-reddy-add-enterprise-… Paul Wouters
- Re: [Add] I-D Action: draft-reddy-add-enterprise-… Ben Schwartz
- Re: [Add] I-D Action: draft-reddy-add-enterprise-… Joe Abley
- Re: [Add] I-D Action: draft-reddy-add-enterprise-… Michael Richardson
- Re: [Add] I-D Action: draft-reddy-add-enterprise-… Michael Richardson
- Re: [Add] I-D Action: draft-reddy-add-enterprise-… Paul Wouters
- Re: [Add] I-D Action: draft-reddy-add-enterprise-… Ben Schwartz
- Re: [Add] I-D Action: draft-reddy-add-enterprise-… Eric Orth