IETF Logo Mail Archive

Re: [Add] Fwd: New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt

tirumal reddy <kondtir@gmail.com> Tue, 30 March 2021 05:39 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D46823A3DA7 for <add@ietfa.amsl.com>; Mon, 29 Mar 2021 22:39:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RCNN_TPbom9C for <add@ietfa.amsl.com>; Mon, 29 Mar 2021 22:39:39 -0700 (PDT)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36B5B3A3DA4 for <add@ietf.org>; Mon, 29 Mar 2021 22:39:38 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id s17so18517017ljc.5 for <add@ietf.org>; Mon, 29 Mar 2021 22:39:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=52Md+PkN0fLzl3NcUEsvBBVC56TgJt/BtL9X6wfaZhI=; b=KWeQi+iGx44tzhVb8ju1UfoaQa9Veu1GkbqiRf87Xu/AZuedrd4EhtJhOwKLFCcmuT ewl4cVNTgtKzAZbteoMSy7q9ct/4AzHc1krqGuXiYkZXKGp/5EKryF6AsI46OvrRD78q 0fKimyhJOzvx2h2CWPFymCPrJfcSCdviHnRihQ4Q9lhyJ8Mbj81oRr70xPKUjNSqb0lE nDvSg87DoRMXQXUQ/5CgFfYpkD6gsDd6fwj+sKbkkJ3IQkiTiGEIVfmOojccnfF7IrtI AzOAcl1hv1bom/VXhVoH5FC3sSHdS9O4GkARZ5UBOeX5ML2KDmdMfBp6G9DCU+uGZxuo uS3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=52Md+PkN0fLzl3NcUEsvBBVC56TgJt/BtL9X6wfaZhI=; b=Fdu5slicsda4T4YlZq95ep2zXvaoO+QbFru88VWW3dyNkcPH1dNpoPHwGmGNvNoeeE YqjSqJRqVdFTmalh6wMBASB5dTuEl8nPyhh+1Lpuvcm2f7NXHPg5IA7HuNr+uOPkm+6+ hlCqXp3Tn5ezdTltjlffJxaExELaNXQzBPu99GaYlMY0J2HqgIa74Vf74jfJE+uaw0PV eQ7acf+ySkSehyC0Coo9/jwy5eCWRdci+ZQpg2xiae9fKVh++hYUKD4GCJ8lzb/O0phN 7zxpYRALc3N1w2E0oGC8fIIo0Irp7X7Y0nb8KYiGUKBtcE8OPC39lrKOwdZVsBFF+2sK bezw==
X-Gm-Message-State: AOAM533DQEjQE2gqyMfvbeL6qz9L47V5RZMwDn+j/ugL85qEYiOsyIDh I4rA8abC2voRtAJwuzDoTC7retkWnSCMgragqm4=
X-Google-Smtp-Source: ABdhPJyLmim/j1BMkMOK02wWHGrl0dcNqQaWyUEvD9GMReBl39ddbjv2iz81Zviia3cVlEdi/skbxAuWZcF9hSsWZBA=
X-Received: by 2002:a2e:a7d4:: with SMTP id x20mr10158295ljp.285.1617082776033; Mon, 29 Mar 2021 22:39:36 -0700 (PDT)
MIME-Version: 1.0
References: <161544385340.18570.13061001177806683345@ietfa.amsl.com> <CAFpG3geAq9oTEJp+uFQ_vHdATgT9Faza-tJURciO=RheLgLDug@mail.gmail.com> <CAHbrMsCK5BUNzF+8nd722R-BR612mM+3oA6x9RzoT_osHWWRzg@mail.gmail.com>
In-Reply-To: <CAHbrMsCK5BUNzF+8nd722R-BR612mM+3oA6x9RzoT_osHWWRzg@mail.gmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Tue, 30 Mar 2021 11:09:24 +0530
Message-ID: <CAFpG3geiJjJE70pjFf5Df0z0EX25r0+Pg0HPW2c+pMj4r+nruA@mail.gmail.com>
To: Ben Schwartz <bemasc@google.com>
Cc: ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000701e4e05beba6ca3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/aZQVgSYPGmyxv5Io9D7-e3iOUro>
Subject: Re: [Add] Fwd: New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Mar 2021 05:39:44 -0000

Hi Ben,

Please see inline

On Fri, 12 Mar 2021 at 00:32, Ben Schwartz <bemasc@google.com> wrote:

> Thanks for the updates.  Some comments
>
> Section 6:
>
>>    If an Enterprise network restricts all the DNS queries to be sent to
>>    the network-provided DNS server, SplitDNSAllowed will be set to
>>    false.
>
>
> This is clearly a policy prescription, and is out of scope.  I think this
> key should be removed from the draft.
>

It is only a policy expression and definitely not a policy prescription.
Updated the draft to clarify.


>
> > [RFC7149] recommends validation of responses using NSEC3.
>
> Nit: RFC 7129.
>

> Broader note: I think it would be better to drop the "private-only" flag,
> as well as the NSEC test and top-domains list.
>

Yes, removed all of the above in 02 revision.


> While this arrangement of claiming domain names that are known not to
> exist globally is possibly allowed by RFC 2826, I don't think it's a good
> practice.  For example, there is no such domain as "login.citibank.com",
> but I think it would be bad security practice (and also a bad architecture)
> to allow networks to claim that name.
>
> Note that private-only names are still supported.  If the local resolver
> is authoritative for corp.example.com, it can serve queries for
> login.corp.example.com, even if login.corp.example.com is NXDOMAIN when
> queried externally.
>

Agreed, please see
https://tools.ietf.org/html/draft-reddy-add-enterprise-split-dns-02#section-10
.

Cheers,
-Tiru

>
> On Thu, Mar 11, 2021 at 1:26 AM tirumal reddy <kondtir@gmail.com> wrote:
>
>> The revised draft
>> https://datatracker.ietf.org/doc/html/draft-reddy-add-enterprise-split-dns-01
>> addresses
>> comments from Ben. Further comments and suggestions are welcome.
>>
>> Cheers,
>> -Tiru
>>
>> ---------- Forwarded message ---------
>> From: <internet-drafts@ietf.org>
>> Date: Thu, 11 Mar 2021 at 11:54
>> Subject: New Version Notification for
>> draft-reddy-add-enterprise-split-dns-01.txt
>> To: Tirumaleswar Reddy.K <kondtir@gmail.com>, Dan Wing <danwing@gmail.com
>> >
>>
>>
>>
>> A new version of I-D, draft-reddy-add-enterprise-split-dns-01.txt
>> has been successfully submitted by Tirumaleswar Reddy and posted to the
>> IETF repository.
>>
>> Name:           draft-reddy-add-enterprise-split-dns
>> Revision:       01
>> Title:          Split-Horizon DNS Configuration in Enterprise Networks
>> Document date:  2021-03-10
>> Group:          Individual Submission
>> Pages:          12
>> URL:
>> https://www.ietf.org/archive/id/draft-reddy-add-enterprise-split-dns-01.txt
>> Status:
>> https://datatracker.ietf.org/doc/draft-reddy-add-enterprise-split-dns/
>> Htmlized:
>> https://datatracker.ietf.org/doc/html/draft-reddy-add-enterprise-split-dns
>> Htmlized:
>> https://tools.ietf.org/html/draft-reddy-add-enterprise-split-dns-01
>> Diff:
>> https://www.ietf.org/rfcdiff?url2=draft-reddy-add-enterprise-split-dns-01
>>
>> Abstract:
>>    When split-horizon DNS is deployed by an enterprise, certain
>>    enterprise domains are only resolvable by querying the network-
>>    provided DNS server.  DNS clients which use DNS servers not provided
>>    by the network need to route those DNS domain queries to the network-
>>    provided DNS server.  This document informs DNS clients of split-
>>    horizon DNS, their DNS domains, and is compatible with encrypted DNS.
>>
>>
>>
>>
>> Please note that it may take a couple of minutes from the time of
>> submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> The IETF Secretariat
>>
>>
>> --
>> Add mailing list
>> Add@ietf.org
>> https://www.ietf.org/mailman/listinfo/add
>>
>

v2.23.0 | Report a Bug | By Email