IETF Logo Mail Archive

Re: [Add] Fwd: New Version Notification for draft-reddy-add-enterprise-split-dns-00.txt

tirumal reddy <kondtir@gmail.com> Fri, 26 February 2021 10:09 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7EA53A1070 for <add@ietfa.amsl.com>; Fri, 26 Feb 2021 02:09:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ldcZHgSnZ1q5 for <add@ietfa.amsl.com>; Fri, 26 Feb 2021 02:09:37 -0800 (PST)
Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E9B13A105E for <add@ietf.org>; Fri, 26 Feb 2021 02:09:37 -0800 (PST)
Received: by mail-il1-x12f.google.com with SMTP id g9so7572038ilc.3 for <add@ietf.org>; Fri, 26 Feb 2021 02:09:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mIdUib8aBo86PkDwWNWf79l1agki4YCzKxUYmHJvLq8=; b=bvXo4lmUWt4GuipSA75JiwOvuHH9Xq47pfzBsQ2YxODsToYj4nqK15X2EepsaFCFBO YGiekhgxOGjx8hiLqMwyCP/jw/cRkv5XXSLG4czPXq39MrCLCjWYmNTfUYs9p3p+sREo dDTP5PrtnsCx2X1ihKf3oIE19fR3r8VR1DeSiUK7IR6HkAaB17olBquQ5idBFrsu8Qdv /zcwMkJ4x8ybYmesDs/FZc9XlBxIE4a2fdJ/1hywStMUD0YZ/C81zOysl61JfwwE30Vy yXGZI6Xm56MnPs++VP/by97dc0CBNvpEUz4bwZCLFHtQkG36TkbqiZHtTvveCtjK4UN1 GylA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mIdUib8aBo86PkDwWNWf79l1agki4YCzKxUYmHJvLq8=; b=i8CHPGAeAV2Erun1nc7an6rblo+CMI8vsz7sp6RdBoGwL3XWpAebKY7nebCIAwqM1Z wJgUjtrCL9zo6t+wO8MRlL+D8NAFEtbEY1vWyy1AteDPH6Gl/Dh1ARC7Ku7cUvFwkYJi TUnG98bX+rrjLjDpxPiU9j0whJ587H9PEg2INoOtF68inOJu9qq2oo745cnrWMRZqfHf slFbzBHO1Za7avWON13vN8wYj0dCYK/WBeDAPhCYcXb6V4bBco1y76FwuZfeAaHRlGaA Tu27mQQZ8oFCNlgK+G2oxoRsLJ2h9/LewRlgHyMJ9VbxUgCtDgyGCL6EXqNU+LjctW5w gKMQ==
X-Gm-Message-State: AOAM5320V0YLl4JKrKOimszddP58nULpuVCDc38KniYUMTEcpF/pu2c5 rH9IKKLC4cdd/h2qE4wHwMGPmtImbv05bKLhYSo=
X-Google-Smtp-Source: ABdhPJyiORe656XjbBS+R76UzoojN6oGB43HWIco7uSyltAKxh9ovQsxzXjVR7VFLK6z8nAFP6M/WhhabbTqTl+cdQE=
X-Received: by 2002:a05:6e02:1d0e:: with SMTP id i14mr1669348ila.69.1614334176590; Fri, 26 Feb 2021 02:09:36 -0800 (PST)
MIME-Version: 1.0
References: <161388999018.9885.10981475193758933015@ietfa.amsl.com> <CAFpG3gcXerhxcS0V7yzd5nbZ_F-B5UeoipT+0NYicGYYP3P+uQ@mail.gmail.com> <CAHbrMsAo=VqY5fZBNxR6odcboEE78FP-EZJiz_YmbDE5D73vaA@mail.gmail.com>
In-Reply-To: <CAHbrMsAo=VqY5fZBNxR6odcboEE78FP-EZJiz_YmbDE5D73vaA@mail.gmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Fri, 26 Feb 2021 15:39:24 +0530
Message-ID: <CAFpG3get5tqSB=yemy_0BRYyr6bTfovLQb6iv5Q-_fdT7AMdJA@mail.gmail.com>
To: Ben Schwartz <bemasc@google.com>
Cc: ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000025018605bc3a7793"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/Q9W87VkPESBYzUECM0ZDTXthrLI>
Subject: Re: [Add] Fwd: New Version Notification for draft-reddy-add-enterprise-split-dns-00.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Feb 2021 10:09:40 -0000

Hi Ben,

Thanks for the review. Please see inline.

On Wed, 24 Feb 2021 at 02:20, Ben Schwartz <bemasc@google.com> wrote:

> This draft contains a large amount of veiled policy argumentation and
> outright specification of client policy.  That material is out of scope for
> this working group.
>

PvD can be used to provide the network configuration information, see
https://tools.ietf.org/html/rfc7556. If the WG thinks it is useful but not
in scope, we can discuss to enhance the scope; otherwise will remove the
text.


>
> Apart from that issue, the draft's quote from RFC 2826 quite expressly
> forbids the technical approach taken in this draft.  RFC 2826 says
> "if [private networks] wish to make use of names uniquely defined for the
> global Internet, they have to fetch that information from the global DNS
> naming hierarchy".  RFC 2826 later clarifies
>
> > The
> > requirement for uniqueness within a domain further implies that there
> > be some mechanism to prevent name conflicts within a domain.  In DNS
> > this is accomplished by assigning a single owner or maintainer to
> > every domain, including the root domain, who is responsible for
> > ensuring that each sub-domain of that domain has the proper records
> > associated with it.  This is a technical requirement, not a policy
> > choice.
>
> In my view, any draft that defines a modified lookup procedure must
> therefore ensure that it is not altering the party who controls the
> contents of any defined global domain.  This could work by first checking
> that a given name does not exist in the global namespace, or by providing
> evidence that the local network operator is the party responsible for the
> global name.
>

If the client queries a public resolver to check if the private DNS names
exist in the global namespace, it would leak the private sensitive names to
the public resolver and adversely impact privacy. Alternatively the client
can use bloom-filter of well-known domains to check if the name does not
exist in the global namespace (similar to the way Chrome uses bloom- filter
to identify if the domain visited by the user is not malicious), it avoids
leaking the private names to external resolvers.

We can update the draft to discuss the above mechanism.

I did not get the latter part of the comment : How would the local network
operator provide evidence that it claims authority over a global name ?

Further, it is quite common in split DNS for an authoritative server to
give different responses to queries from the Internet than queries from
devices attached to the network (see
https://tools.ietf.org/html/rfc6950#section-4).

Cheers,
-Tiru


> I recommend that the authors adopt one or both of those approaches to make
> this draft compliant with IAB guidance and good DNS practice.
>

>

> On Tue, Feb 23, 2021 at 3:59 AM tirumal reddy <kondtir@gmail.com> wrote:
>
>> Hi all,
>>
>>
>> https://tools.ietf.org/html/draft-reddy-add-enterprise-split-dns-00
>> discusses a mechanism to inform endpoints of split-horizon DNS and their
>> DNS domains, and is compatible with encrypted DNS. It addresses the use
>> cases of DNS configuration on explicitly trusted networks presented at ADD
>> interim (please see slides 7 to 9 in
>> https://datatracker.ietf.org/meeting/interim-2021-add-01/materials/slides-interim-2021-add-01-sessa-draft-box-add-requirements-design-slides-00.pdf
>> ).
>>
>>
>> Please review the draft and provide your valuable comments.
>>
>> Cheers,
>> -Tiru
>>
>> ---------- Forwarded message ---------
>> From: <internet-drafts@ietf.org>
>> Date: Sun, 21 Feb 2021 at 12:16
>> Subject: New Version Notification for
>> draft-reddy-add-enterprise-split-dns-00.txt
>> To: Tirumaleswar Reddy.K <kondtir@gmail.com>, Dan Wing <danwing@gmail.com
>> >
>>
>>
>>
>> A new version of I-D, draft-reddy-add-enterprise-split-dns-00.txt
>> has been successfully submitted by Tirumaleswar Reddy and posted to the
>> IETF repository.
>>
>> Name:           draft-reddy-add-enterprise-split-dns
>> Revision:       00
>> Title:          Split-Horizon DNS Configuration in Enterprise Networks
>> Document date:  2021-02-20
>> Group:          Individual Submission
>> Pages:          12
>> URL:
>> https://www.ietf.org/archive/id/draft-reddy-add-enterprise-split-dns-00.txt
>> Status:
>> https://datatracker.ietf.org/doc/draft-reddy-add-enterprise-split-dns/
>> Htmlized:
>> https://datatracker.ietf.org/doc/html/draft-reddy-add-enterprise-split-dns
>> Htmlized:
>> https://tools.ietf.org/html/draft-reddy-add-enterprise-split-dns-00
>>
>>
>> Abstract:
>>    When split-horizon DNS is deployed by an enterprise, certain
>>    enterprise domains are only resolvable by querying the network-
>>    provided DNS server.  DNS clients which use DNS servers not provided
>>    by the network need to route those DNS domain queries to the network-
>>    provided DNS server.  This document informs DNS clients of split-
>>    horizon DNS, their DNS domains, and is compatible with encrypted DNS.
>>
>>
>>
>>
>> Please note that it may take a couple of minutes from the time of
>> submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> The IETF Secretariat
>>
>>
>> --
>> Add mailing list
>> Add@ietf.org
>> https://www.ietf.org/mailman/listinfo/add
>>
>

v2.23.0 | Report a Bug | By Email