Re: [Add] I-D Action: draft-reddy-add-enterprise-split-dns-08.txt

Ralf Weber <dns@fl1ger.de> Mon, 24 January 2022 15:45 UTC

Return-Path: <dns@fl1ger.de>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B50D3A102D for <add@ietfa.amsl.com>; Mon, 24 Jan 2022 07:45:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fRIHpAuz5dGb for <add@ietfa.amsl.com>; Mon, 24 Jan 2022 07:45:06 -0800 (PST)
Received: from smtp.guxx.net (smtp.guxx.net [IPv6:2a01:4f8:a0:322c::25:42]) by ietfa.amsl.com (Postfix) with ESMTP id 1FAE13A1025 for <add@ietf.org>; Mon, 24 Jan 2022 07:45:05 -0800 (PST)
Received: from [192.168.42.141] (p4ff53ba1.dip0.t-ipconnect.de [79.245.59.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by nyx.guxx.net (Postfix) with ESMTPSA id A7BAB5F4042E; Mon, 24 Jan 2022 15:45:03 +0000 (UTC)
From: Ralf Weber <dns@fl1ger.de>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
Cc: Paul Wouters <paul@nohats.ca>, ADD Mailing list <add@ietf.org>, tirumal reddy <kondtir@gmail.com>
Date: Mon, 24 Jan 2022 16:45:03 +0100
X-Mailer: MailMate (1.14r5861)
Message-ID: <8DA1814C-FA1C-49DD-986D-315865D44E5C@fl1ger.de>
In-Reply-To: <CAHbrMsDDjvkBBAQnANPC0ENktNdsuf7yuVRu9W43y9UNqZP1fw@mail.gmail.com>
References: <164273967921.28045.13105308218406662743@ietfa.amsl.com> <CAFpG3geerJH+jWEZpZnHJpEFcOr+81WyOFvWoAaHmR6N4jBZyg@mail.gmail.com> <4182fe-1e8-ef1-d3e5-75b17da23b9e@nohats.ca> <CAHbrMsBvy6F05y+rXzS+KtpOCn4+RCcJnjLdduHfdz8ENCOQzw@mail.gmail.com> <15222769-7BD4-49D4-AC67-DAD86191DB6E@fl1ger.de> <CAHbrMsDDjvkBBAQnANPC0ENktNdsuf7yuVRu9W43y9UNqZP1fw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/VAmX2ygNNHNN9kw2ZRFxHy2ury4>
Subject: Re: [Add] I-D Action: draft-reddy-add-enterprise-split-dns-08.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jan 2022 15:45:08 -0000

Moin!

On 24 Jan 2022, at 16:20, Ben Schwartz wrote:
> I think this is fine.  You just publish DS records for both the internal
> and external DNSKEYs.  Validation will then succeed for records signed by
> either key.
But then I give away that corp.example.com exists and that it has a DNSKEY.

>> Also keep in mind that if
>>         corp.example.com
>> is NXDomain externally you need a special/different
>>         example.com
>> internally to delegate corp.example.com.
>>
>
> Agreed.  The claimed zone (which could be "example.com" or "corp.example.com")
> must resolve differently internally and externally, or you haven't actually
> "split" anything.
I have. example.com is different externally then internally. Externally it is
missing the corp.example.com delegation.

>> I’ve always envisioned DNSSEC split horizon needing an internal trust anchor
>> because of this ideally in the recursive resolver and stub resolver.
>>
>
> I don't think there's any need for a separate trust anchor.
In the above example there is, as corp.example.com does not exist in public space
or are you saying that the case I described is not split DNS?

So long
-Ralf
——-
Ralf Weber