IETF Logo Mail Archive

Re: [Add] add-enterprise-split-dns and split horizon DNS

Paul Wouters <paul@nohats.ca> Fri, 03 December 2021 02:31 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EA5E3A107B for <add@ietfa.amsl.com>; Thu, 2 Dec 2021 18:31:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 31DYxYeYnwjM for <add@ietfa.amsl.com>; Thu, 2 Dec 2021 18:31:25 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D0153A1077 for <add@ietf.org>; Thu, 2 Dec 2021 18:31:25 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4J4xf04l7Nz315; Fri, 3 Dec 2021 03:31:20 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1638498680; bh=wT756XjVEipHGujQ19cf0MU4Ii9XapjM3xUbLKRY+pA=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=JSqoRmwzHf+7rAVAy5MSlDP+IM1Q2m0jPoQHgBGrrWugFQ/e56j94T7FN2r+dUb7g PgHopVHUR9WjKx69D7PAMoJNNwpu6X8u8n/yVW/ihuj7wGk3mT/TCMhy8MwATEVk9R v3W/sQGsPa9DRmSbHrMNYiDyrrIPG2kUKmbeKYRk=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id wuCpeGiepefo; Fri, 3 Dec 2021 03:31:19 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 3 Dec 2021 03:31:19 +0100 (CET)
Received: from smtpclient.apple (unknown [193.110.157.208]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id 5F910182B83; Thu, 2 Dec 2021 21:31:18 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Paul Wouters <paul@nohats.ca>
Mime-Version: 1.0 (1.0)
Date: Thu, 02 Dec 2021 21:31:16 -0500
Message-Id: <F8B0007E-0ABC-4E1A-A102-0E53A1451F93@nohats.ca>
References: <60F1A5E0-056F-4B43-B4B9-EDA893ECDAE3@gmail.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, add@ietf.org
In-Reply-To: <60F1A5E0-056F-4B43-B4B9-EDA893ECDAE3@gmail.com>
To: Dan Wing <danwing@gmail.com>
X-Mailer: iPhone Mail (19B74)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/acR4WLpVYa9ZbPqY7Xe1zcHDQ0w>
Subject: Re: [Add] add-enterprise-split-dns and split horizon DNS
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Dec 2021 02:31:29 -0000

On Dec 2, 2021, at 20:46, Dan Wing <danwing@gmail.com> wrote:
> 
> Split-horizon DNS has the same name on the inside ("private") network as on the outside ("public"), but they resolve to different IP addresses.  

That is one form of split dns. Split simply means there is more than one view that is different.

>  If there is an internal delegation where "corp.example.com" is only resolvable from the inside that is not "split DNS" -- at least, not by my definition.

You seem to be trying to redefine the definition then.

> Such an internal-only delegation is a far easier problem because if the wrong DNS server is queried, it won't have any answer (ignoring data leakage issues of querying the wrong DNS, of course).

That it won’t resolve to anything won’t make the problem easier.

>  Split DNS is complicated because querying the wrong DNS returns the wrong answer and the wrong IP address is either not routable from the Internet or gives the public view of the resource when the "employee" view was desired.

I really would not use this definition of split dns. It will lead to confusion and solutions offered would be incomplete and not cover the actual issues this WG is trying to address.

> I agree the proposal in our document may not be ideal.  During the presentation and Q&A we discussed briefly another approach to test for a squatted domain by using DNSSEC rather than querying a public DNS server.

I don’t think typo squatting is a problem in scope for recursive resolver selection for specific domain names.

The problem remains how to securely receive, validate and authorize a list of domain names that should be resolved via the local network advertised nameserver.

The solution seems to steer towards “putting things in public dns”, which I do not think is the right solution. Defining “internal only domains” as “not split dns” is not a workable solution for this.


Paul

v2.23.0 | Report a Bug | By Email