Re: [Add] New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt
tirumal reddy <kondtir@gmail.com> Tue, 30 March 2021 07:03 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A914D3A0C62 for <add@ietfa.amsl.com>; Tue, 30 Mar 2021 00:03:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T8jJL2b_5FLF for <add@ietfa.amsl.com>; Tue, 30 Mar 2021 00:03:33 -0700 (PDT)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 602843A0C5F for <add@ietf.org>; Tue, 30 Mar 2021 00:03:33 -0700 (PDT)
Received: by mail-lf1-x12c.google.com with SMTP id b14so22171799lfv.8 for <add@ietf.org>; Tue, 30 Mar 2021 00:03:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JUKpModbzDXRBc0fTlnZX6N0k7sj3NhA8aCmCHcWVMM=; b=L0vP1/z6I0yNs/ytFG2mDHbCc80lcXt6JqCVjRS3yaAisJihVI9wZa01PcRuYJLjnm J2BCl3ByHEEyafFbKuHhrI0pBEsMz/LRFs3ycxiiQMR4RLzFEr8l+OhXsaEmYSMkhGgF N3gAs7IoUyCxd8JtL9ADoW2Ril5DUz0/8JuseNiQIKWBJdejyOVomJKUZCbwpkefIRys KIgn4JNA4U+A+ss4nUb2tlt232vZXyieWpz5lNyLaUCOU+g8iBNPMlS5wLDQKm2v7+5w 5k28OORaB9CBU/TYtJm+IdRuToA0KLB6GGv6QSEVBRidXQxi/K9pVYCbtoQ7GnqhqyvW GRcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JUKpModbzDXRBc0fTlnZX6N0k7sj3NhA8aCmCHcWVMM=; b=qT2bVSsbnqg3MsCAKRJRjEzqLiK0AIlEOXpMX2TsBhOj68M3karunuGQ5wha9qzkC/ rtFDZN8KvIop+R0yodJnNkSwQEvSEKqfY4BdDtdy7IWvkW4Iz5dwddKSPD/EU8GHQi52 Uxp0g3fr8SnCDok771iD4nidiIzEU/JFEL3zoKn2pFcM46bons2d5MXnTKxEQF5C/isG Xyz9/Bj5BK1q0asM6GduLWjiIDZC3jMnLRZqGCI2mRl2DciD1/dVFRBN7dOon2VR5CCz Njl8lpyQabJuY49OcPl++OEqgVgtqwqhmisu0ZQwwd58w1SsqU4Gn7JmjjLPzR1/MgjU p1kw==
X-Gm-Message-State: AOAM5329p/MnWyeS3ASEJDvfVFktuRbwDctF9H1jXfq15/G0otTn/KL4 kFjYnb8kpxxvGYkhYy6rJd8T9CwSxivRSOGU02U=
X-Google-Smtp-Source: ABdhPJy68H7qHBgY592Gq0rPDl2rgU1v7V6Cbb9GshX7RnGCTkdQiwWNo+lb48xOiY/OEGu36h0ssfzbL9vfNswf8vI=
X-Received: by 2002:a19:f81a:: with SMTP id a26mr18306770lff.647.1617087809669; Tue, 30 Mar 2021 00:03:29 -0700 (PDT)
MIME-Version: 1.0
References: <161544385340.18570.13061001177806683345@ietfa.amsl.com> <CAFpG3geAq9oTEJp+uFQ_vHdATgT9Faza-tJURciO=RheLgLDug@mail.gmail.com> <CAHbrMsCK5BUNzF+8nd722R-BR612mM+3oA6x9RzoT_osHWWRzg@mail.gmail.com> <BFF52DBA-5A64-46E5-B51A-9012EF9E09BD@apple.com>
In-Reply-To: <BFF52DBA-5A64-46E5-B51A-9012EF9E09BD@apple.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Tue, 30 Mar 2021 12:33:17 +0530
Message-ID: <CAFpG3gcUroKr=BD+pqy7-+D48osdM3wmtEjuVP6V+Gra3BqwFA@mail.gmail.com>
To: Tommy Pauly <tpauly@apple.com>
Cc: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000774c9c05bebb989b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/TtL2fj7Y7XqBmZ_pAmKPnN_KPXE>
Subject: Re: [Add] New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Mar 2021 07:03:37 -0000
On Sat, 13 Mar 2021 at 00:30, Tommy Pauly <tpauly@apple.com> wrote: > > > On Mar 11, 2021, at 11:02 AM, Ben Schwartz < > bemasc=40google.com@dmarc.ietf.org> wrote: > > Thanks for the updates. Some comments > > Section 6: > >> If an Enterprise network restricts all the DNS queries to be sent to >> the network-provided DNS server, SplitDNSAllowed will be set to >> false. > > > This is clearly a policy prescription, and is out of scope. I think this > key should be removed from the draft. > > > Agreed. I think the main issue is that this ends up being an “evil bit”. > There’s no reason for a client to trust or respect this value, unless they > already have a strong MDM-style relationship, in which case this wouldn’t > be needed. > > I am in favor of letting the network prove authority for private domains, > or even present an identity for itself as the network operator. It’s up to > the client to use those or ignore those. > > The one thing the network could do that might be useful is provide a flag > that it will be actively hostile to any DNS traffic it detects that does > not go to itself, with some reason text. The (minimal) value there is to > allow a client to present a reason for things being broken if the user of > the client device also has a strict policy to not trust this network. > Good point, the flag is particularly useful when the client does not use DNS lookup to reach the DNS servers not provided by the network. For example, the client can be pre-configured with both the domain name and IP addresses of the public resolver or is pre-configured with the IP address of the resolver which uses IP address in the certificate as identifier. In this case, the extended error codes defined in RFC8914 cannot be returned to the client to provide additional information about the cause for the block. -Tiru > > Tommy > > > > [RFC7149] recommends validation of responses using NSEC3. > > Nit: RFC 7129. > > Broader note: I think it would be better to drop the "private-only" flag, > as well as the NSEC test and top-domains list. While this arrangement of > claiming domain names that are known not to exist globally is possibly > allowed by RFC 2826, I don't think it's a good practice. For example, > there is no such domain as "login.citibank.com", but I think it would be > bad security practice (and also a bad architecture) to allow networks to > claim that name. > > Note that private-only names are still supported. If the local resolver > is authoritative for corp.example.com, it can serve queries for > login.corp.example.com, even if login.corp.example.com is NXDOMAIN when > queried externally. > > On Thu, Mar 11, 2021 at 1:26 AM tirumal reddy <kondtir@gmail.com> wrote: > >> The revised draft >> https://datatracker.ietf.org/doc/html/draft-reddy-add-enterprise-split-dns-01 >> addresses >> comments from Ben. Further comments and suggestions are welcome. >> >> Cheers, >> -Tiru >> >> ---------- Forwarded message --------- >> From: <internet-drafts@ietf.org> >> Date: Thu, 11 Mar 2021 at 11:54 >> Subject: New Version Notification for >> draft-reddy-add-enterprise-split-dns-01.txt >> To: Tirumaleswar Reddy.K <kondtir@gmail.com>, Dan Wing <danwing@gmail.com >> > >> >> >> >> A new version of I-D, draft-reddy-add-enterprise-split-dns-01.txt >> has been successfully submitted by Tirumaleswar Reddy and posted to the >> IETF repository. >> >> Name: draft-reddy-add-enterprise-split-dns >> Revision: 01 >> Title: Split-Horizon DNS Configuration in Enterprise Networks >> Document date: 2021-03-10 >> Group: Individual Submission >> Pages: 12 >> URL: >> https://www.ietf.org/archive/id/draft-reddy-add-enterprise-split-dns-01.txt >> Status: >> https://datatracker.ietf.org/doc/draft-reddy-add-enterprise-split-dns/ >> Htmlized: >> https://datatracker.ietf.org/doc/html/draft-reddy-add-enterprise-split-dns >> Htmlized: >> https://tools.ietf.org/html/draft-reddy-add-enterprise-split-dns-01 >> Diff: >> https://www.ietf.org/rfcdiff?url2=draft-reddy-add-enterprise-split-dns-01 >> >> Abstract: >> When split-horizon DNS is deployed by an enterprise, certain >> enterprise domains are only resolvable by querying the network- >> provided DNS server. DNS clients which use DNS servers not provided >> by the network need to route those DNS domain queries to the network- >> provided DNS server. This document informs DNS clients of split- >> horizon DNS, their DNS domains, and is compatible with encrypted DNS. >> >> >> >> >> Please note that it may take a couple of minutes from the time of >> submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> The IETF Secretariat >> >> >> -- >> Add mailing list >> Add@ietf.org >> https://www.ietf.org/mailman/listinfo/add >> > -- > Add mailing list > Add@ietf.org > https://www.ietf.org/mailman/listinfo/add > > >
- [Add] Fwd: New Version Notification for draft-red… tirumal reddy
- Re: [Add] Fwd: New Version Notification for draft… Ben Schwartz
- Re: [Add] Fwd: New Version Notification for draft… Paul Vixie
- Re: [Add] New Version Notification for draft-redd… Tommy Pauly
- Re: [Add] New Version Notification for draft-redd… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Tommy Jensen
- Re: [Add] New Version Notification for draft-redd… Tommy Pauly
- Re: [Add] [EXTERNAL] Re: New Version Notification… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: New Version Notification… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Wouters
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Andrew Campling
- Re: [Add] [EXTERNAL] Re: New Version Notification… Eric Rescorla
- Re: [Add] [EXTERNAL] Re: New Version Notification… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: New Version Notification… Eliot Lear
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Victor Kuarsingh
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Vixie
- Re: [Add] New Version Notification for draft-redd… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… Bill Woodcock
- Re: [Add] [EXTERNAL] Re: New Version Notification… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ben Schwartz
- Re: [Add] Fwd: New Version Notification for draft… tirumal reddy
- Re: [Add] New Version Notification for draft-redd… tirumal reddy
- Re: [Add] New Version Notification for draft-redd… Ben Schwartz
- Re: [Add] New Version Notification for draft-redd… Vittorio Bertola
- Re: [Add] New Version Notification for draft-redd… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXT] Re: New Version Notification for … Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: New Version Notification… Ben Schwartz
- Re: [Add] [EXTERNAL] Re: New Version Notification… Tommy Jensen
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Wouters
- Re: [Add] [EXTERNAL] Re: New Version Notification… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Wouters
- Re: [Add] New Version Notification for draft-redd… Paul Vixie
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy
- Re: [Add] [EXTERNAL] Re: New Version Notification… Paul Wouters
- Re: [Add] New Version Notification for draft-redd… Andrew Campling
- Re: [Add] [EXTERNAL] Re: New Version Notification… tirumal reddy