IETF Logo Mail Archive

Re: [Add] some background on split DNS with DNSSEC

Ted Lemon <mellon@fugue.com> Tue, 09 November 2021 15:16 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 545393A0E1B for <add@ietfa.amsl.com>; Tue, 9 Nov 2021 07:16:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LiKxP1Ty0Lp5 for <add@ietfa.amsl.com>; Tue, 9 Nov 2021 07:16:10 -0800 (PST)
Received: from mail-oi1-x234.google.com (mail-oi1-x234.google.com [IPv6:2607:f8b0:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D9D53A0E2A for <add@ietf.org>; Tue, 9 Nov 2021 07:16:10 -0800 (PST)
Received: by mail-oi1-x234.google.com with SMTP id t19so3958934oij.1 for <add@ietf.org>; Tue, 09 Nov 2021 07:16:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=oLjZmNw9fsthwOG0uGBS9Njtxs4dhRQfcsOjcjEUnT4=; b=WIQX2wRP8NV7w/bpCQO5YjFNNcHFBLrm/JwhSCOK8kaQY6lt9g3ZMuZyPspZGDuoRW rBvRaursmNlNc/bsNtvmo7M0dVPA5ySMgTpeaJ5vx1kdc1gpxSyNtwO8ejpSGMGFcSx2 Z2ugZGMOYCpG1kisHIgQO9/OCkONe0Xc/SSDXN3UI0tWHCBZDtuAKqSS4MKpEEv6AC9+ McfLhsvEMX+IRx1kMt+suB+umF/DeK9P74qVJUwyvZwCICSYSPyd/3BAtZDpbBRbpseU z4aKTHL+WzUwX5p+B1bXQ4KexuP4o70CmwB2Rf+eSCO5Rb6JBn0V2uqa9i62qyKp238J DUIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=oLjZmNw9fsthwOG0uGBS9Njtxs4dhRQfcsOjcjEUnT4=; b=eif8C8ir31zgzeI3BhNkWSgl6Lt62QTr+NGVe5ElGHkpEYX5nwUh9mLGOTVpjHDFSO qLt0PhcydSVinaetgGP2c58g+gFhAG1jF2pq2VlvMTmw5S8Es0wD347GolC4i2kOYZdb nw5N6JhLZbV4cwL2by3LbArw9GrZ+yXfE7fkwb812K5VY0jKR9tBf30ZEcZt6I29Pmrv O0DwnRch8WB+yOT6SxWH6w35vfqFsFKOQwlJKgklmBL3ndCt8IU9gtE5Ri3Ez5mrt98G CQ/dSOemqg5TTa31JO49tIruleem3TwOTETF7kmUDC3nrmm16Sv+2DQJPuLyNcHjh+KA h69Q==
X-Gm-Message-State: AOAM533uxuQoCGu9eyYHTvHGcNH748ZKpwJA9uiFWTiOCBJX5AIGg8Fj 4vaIwdfmJcGfcgrlByI7YHqIE9OxU0dlhN4lOEBqNWAVAopBPA==
X-Google-Smtp-Source: ABdhPJyssoex2JwnlZArrME7aERnvfop/b5gxvgCz8kIQbJeU6mLK8o6BP/9fbBalPORd8KCOr22FkW8FwiIgn/tMhk=
X-Received: by 2002:a05:6808:f0c:: with SMTP id m12mr6197627oiw.55.1636470968825; Tue, 09 Nov 2021 07:16:08 -0800 (PST)
MIME-Version: 1.0
References: <yblk0hio8pu.fsf@w7.hardakers.net> <28611.1636465525@localhost> <3692CFBF-4D06-4960-9F7C-347A58D2D0A0@apple.com> <aea95242-4e80-e4cb-b5bb-da34105e7ed1@lear.ch>
In-Reply-To: <aea95242-4e80-e4cb-b5bb-da34105e7ed1@lear.ch>
From: Ted Lemon <mellon@fugue.com>
Date: Tue, 09 Nov 2021 10:15:32 -0500
Message-ID: <CAPt1N1kGs851Q_BMq1NDzm80xHbrKLJWwt1JzAmZAtafXeoqPg@mail.gmail.com>
To: Eliot Lear <lear@lear.ch>
Cc: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>, add@ietf.org, Wes Hardaker <wjhns1@hardakers.net>
Content-Type: multipart/alternative; boundary="000000000000c84cc005d05c9602"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/ZB7NEhihnXxQLPovNRbu5W_-HUs>
Subject: Re: [Add] some background on split DNS with DNSSEC
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2021 15:16:15 -0000

It might indeed be nice to consider a way to make DNSSEC work that
acknowledges the existence of a shared public/private namespace. But it
would have to be easier to operate than just operating two namespaces that
both validate from the same delegation, which is what we can do today.

On Tue, Nov 9, 2021 at 10:10 AM Eliot Lear <lear@lear.ch> wrote:

> Or... maybe it's time for a new trust model with regard to name
> ownership, to account for reality on the ground.  This might also permit
> us to admit that DNSSEC itself has serious deployment problems.
>
> On 09.11.21 15:47, Tommy Pauly wrote:
> >
> >> On Nov 9, 2021, at 5:45 AM, Michael Richardson <mcr+ietf@sandelman.ca>
> wrote:
> >>
> >>
> >> Wes Hardaker <wjhns1@hardakers.net> wrote:
> >>
> >>> A past draft was written about how to handle split DNS within DNSSEC.
> >>>
> https://datatracker.ietf.org/doc/html/draft-krishnaswamy-dnsop-dnssec-split-view
> >>> This may be useful information for the
> >>> draft-reddy-add-enterprise-split-dns draft
> >> Yes, I agree that it's useful.
> >> I continue to suggest that split-view is silly (and I sold devices that
> >> promoted this in the mid-1990s)
> >>
> >> A private delegation of "internal.example.com" works much better,
> >> particularly in the modern world of IPv6, VPNs, and Remote Access.
> > Having a specific zone / subdomain that’s used for non-public hosts is
> certainly a clean way to handle split-DNS cases. This allows for simple
> techniques like failing back to some internal resolver when you don’t have
> an a priori mapping of which names should use the internal resolver, and it
> makes cases where you have a trusted list of internal domains (like VPN)
> very simple.
> >
> > Sadly the reality of so many deployments is that there isn’t a clean cut
> for “internal” or “private” names. Maybe we can hope that deployments that
> use dual-facing or dual-resolving hosts will eventually stop, but I don’t
> see that happening any time soon.
> >
> >>> Also of interest is what problems exist with doing private name spaces
> >>> and how hard this problem is and why DNSOP has never managed to publish
> >>> something about it:
> >>> https://www.rfc-editor.org/rfc/rfc8244.html
> >>> And if you back search DNSOP mailing list, this has a huge history
> >>> behind it.
> >> yup.
> >> I wrote:
> >>
> https://datatracker.ietf.org/doc/draft-richardson-homenet-secret-gardens/
> a
> >> long time ago, but never pursued it because Provider Domains was too far
> >> along.
> >>
> >> --
> >> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT
> consulting )
> >>            Sandelman Software Works Inc, Ottawa and Worldwide
> >> --
> >> Add mailing list
> >> Add@ietf.org
> >> https://www.ietf.org/mailman/listinfo/add
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>

v2.23.0 | Report a Bug | By Email