Re: [Add] WG Adoption Call draft-reddy-add-enterprise-split-dns
Paul Wouters <paul@nohats.ca> Thu, 05 May 2022 19:57 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E4D5C1594AD for <add@ietfa.amsl.com>; Thu, 5 May 2022 12:57:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PnbkJ_azLMYY for <add@ietfa.amsl.com>; Thu, 5 May 2022 12:57:19 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FCBBC15949C for <add@ietf.org>; Thu, 5 May 2022 12:57:18 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4KvPcC2mnKzKMR; Thu, 5 May 2022 21:57:15 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1651780635; bh=UCH3yVQ90Iz88l/2UH1teIx2HEbfEOyFlpMGWLcHlTU=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=ME+YW40pfK50ilG3CFu0+tOyG30K79cMciGUIUBrriMDw18oDmwKs+lBTh11rnh+Y JJrN53a+WXibJLQOQWacYhtN9JmvCdQp9JnEW3dd0ADY9b5qEtzVsR8xgokjuom5xE RDA5N35bw+6Of2IZwzKupRnNoaz9Gkafkx2CAKJU=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 0lxnCfqcBLr6; Thu, 5 May 2022 21:57:14 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 5 May 2022 21:57:14 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 9141C33CBD3; Thu, 5 May 2022 15:57:13 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 8E43233CBD2; Thu, 5 May 2022 15:57:13 -0400 (EDT)
Date: Thu, 05 May 2022 15:57:13 -0400
From: Paul Wouters <paul@nohats.ca>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
cc: "Deen, Glenn" <Glenn_Deen=40comcast.com@dmarc.ietf.org>, ADD Mailing list <add@ietf.org>
In-Reply-To: <CAHbrMsAcpHFon+JS9jsLdqANt+1FmkA_VDAwW4PSUDMJwtbavA@mail.gmail.com>
Message-ID: <14b56185-4fe3-8e4b-adcf-22ddb624329@nohats.ca>
References: <BYAPR11MB3111FD2D0FF61231304A5F3DEAC29@BYAPR11MB3111.namprd11.prod.outlook.com> <CAHbrMsAcpHFon+JS9jsLdqANt+1FmkA_VDAwW4PSUDMJwtbavA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/dEscRltpDIsVei3u2iexXUWlbd8>
Subject: Re: [Add] WG Adoption Call draft-reddy-add-enterprise-split-dns
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 May 2022 19:57:23 -0000
On Thu, 5 May 2022, Ben Schwartz wrote: > Subject: Re: [Add] WG Adoption Call draft-reddy-add-enterprise-split-dns > > I would like to note to the group that the title of this draft, and also much of the content, has changed in this revision. The title is now > "Establishing Local DNS Authority in Split-Horizon Environments", reflecting a narrower technical focus. > > One major adjustment, compared to previous versions, is that the draft is no longer restricted to networks that use Provisioning Domains (PvD)*. > Section 4 now notes ways that this approach can be used in conjunction with a variety of configuration mechanisms, including plain DHCP. Speaker as an individual, I don't think this update resolves the core question on how the document handles split-dns networks. It defines the most common type of split-DNS, the scenario where an internal subdomain only exists in the internal view as "improper", and out of scope which to me would mean this document cannot obtain realistic deployment at large. It kinda Updates: (without doing so) the IKEv2 split-DNS case by suggesting this new mechanism can be trusted enough to override what RFC 8598 clearly punts to the authorized and authenticated provisioning part. Which is even more troublesome because of the next point. The draft still conflates data origin protection (DNSSEC) with transport protection (eg DoH, DoT) by calling the authentication of data that is needed "tamperproof" and defining that as "a method that is not subject to interference by the local network operator". Of course, DoH and DoT are still vulnerable to a non-local network operator if there is no DNSSEC to prove data was unmodified. For example, deployments of mandatory DoH/DoT servers by ISPs or nations that perform domain overrides that this document would still consider "tamperproof" which in the presense of DNSSEC could not be possible, but this document now enables. In short, this document tries to solve the battle between the enduser and the network operator, and I think that is a battle that cannot be won by either side. The only real solution I see is one similar to the IKEv2 split-DNS case, one where there is basically an authenticated and authorized provisioning step that enables the user to join an "enterprise network" wich can demand all or a subnet of DNS traffic which the user is required to opt-in to. And even that is tricky when a user is kinda forced to accept to get any connectivity, say in a hotel or coffeeshop (or repressive regime) Paul
- [Add] WG Adoption Call draft-reddy-add-enterprise… Deen, Glenn
- Re: [Add] WG Adoption Call draft-reddy-add-enterp… Ben Schwartz
- Re: [Add] WG Adoption Call draft-reddy-add-enterp… Paul Wouters
- Re: [Add] WG Adoption Call draft-reddy-add-enterp… Ben Schwartz
- Re: [Add] WG Adoption Call draft-reddy-add-enterp… Paul Wouters
- Re: [Add] WG Adoption Call draft-reddy-add-enterp… Ben Schwartz
- Re: [Add] WG Adoption Call draft-reddy-add-enterp… Michael Richardson
- Re: [Add] WG Adoption Call draft-reddy-add-enterp… Martin Thomson
- Re: [Add] WG Adoption Call draft-reddy-add-enterp… tirumal reddy
- Re: [Add] WG Adoption Call draft-reddy-add-enterp… Paul Wouters
- Re: [Add] WG Adoption Call draft-reddy-add-enterp… Michael Richardson
- Re: [Add] WG Adoption Call draft-reddy-add-enterp… tirumal reddy
- Re: [Add] WG Adoption Call draft-reddy-add-enterp… tirumal reddy
- Re: [Add] WG Adoption Call draft-reddy-add-enterp… tirumal reddy
- Re: [Add] WG Adoption Call draft-reddy-add-enterp… Eliot Lear
- Re: [Add] WG Adoption Call draft-reddy-add-enterp… Diego R. Lopez
- Re: [Add] WG Adoption Call draft-reddy-add-enterp… mohamed.boucadair
- Re: [Add] WG Adoption Call draft-reddy-add-enterp… Vinny Parla (vparla)
- Re: [Add] WG Adoption Call draft-reddy-add-enterp… Tommy Pauly
- Re: [Add] WG Adoption Call draft-reddy-add-enterp… Andrew Campling
- Re: [Add] WG Adoption Call draft-reddy-add-enterp… Jim Reid
- Re: [Add] WG Adoption Call draft-reddy-add-enterp… Deen, Glenn
- Re: [Add] WG Adoption Call draft-reddy-add-enterp… Eric Vyncke (evyncke)