IETF Logo Mail Archive

Re: [Add] add-enterprise-split-dns and split horizon DNS

Eric Rescorla <ekr@rtfm.com> Fri, 03 December 2021 00:34 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9ED3E3A096C for <add@ietfa.amsl.com>; Thu, 2 Dec 2021 16:34:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cwQjsm5aHTno for <add@ietfa.amsl.com>; Thu, 2 Dec 2021 16:34:48 -0800 (PST)
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E67083A096B for <add@ietf.org>; Thu, 2 Dec 2021 16:34:47 -0800 (PST)
Received: by mail-io1-xd29.google.com with SMTP id y16so1732622ioc.8 for <add@ietf.org>; Thu, 02 Dec 2021 16:34:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Pv12krqYpxHuYc74JJuegRlRFDOxsaRXei2EEWppUMg=; b=7m1FHsjGcmPuY/7bdrlhZ7ihEKcksf08uYtZXUsPcCRMKbC5S24iClSdvaHz7A6RVg NVmG6siW3B1mIqHEZTaECZqFrA7AAEifXTd/iyvv/dezQhK+wvEZLXoq8y0f6REE5QGV 6z02GqIW4mCZ4puKZwvoy3xUrjXAg9d6s5G09ZYqBZ2NAROlj64NVxybVbTVFOhxyF1R 2xRhWUtEuqQJRytW162vaIItDvik8MlpfY9o2lkzMWeGdg6OHshm8oAvLZsM44JPaKNA 8tqeYE1i7ZTuddt5TfCrB8sMNRCJAF3vVW5FZs+gSHDwE5a3d2Apkv79rJVoQQphoM6w 849g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Pv12krqYpxHuYc74JJuegRlRFDOxsaRXei2EEWppUMg=; b=XCeSxFvrQIoaB6WWjcXzRhw1JqktNf4QufH4BkTz5+lx/ck7pN96F20dfYemukncuq GOFvPvE6KrCrHwHKtOQyu10s5HSgKNVqSJQqK94DyVVx44i440cF7FELg1lL67CUeGZ2 2NB6rHrdPNbLgMKCIOdqJDM2P6yzPpcN+Hs01SnCq4N7LWkoM0SVoZS0ZAglVzBTkoTR mPWwgfyufGx8sgcq3NfmfzDUpTN46wi7wO3uamnUhGFbJiVNgnCmEbuDggS0CrzJ6mbK 6B/PZH7EmkEODyKNHjeXuzgyiVefHowc+QzxzPj4lh4LC1HxJfP2X7i3RwyHbYTSAp+H bR0g==
X-Gm-Message-State: AOAM530PIXEGDlujhOGSza2i/Yp/ogeZtKJ0LC2bZOJEkeUKFIKrXASE EGJ76hVOF1skgmEkOEGUZ01249Zdy+pp14lSJXcVlw==
X-Google-Smtp-Source: ABdhPJxkMo10VrupoyHrfOg1Q2a0kS2neKjnjPdVHBOxUV+6Uy0SNPcSKPsYxMgJYp7SeGATiN31Yo8nddIxLD/T7b0=
X-Received: by 2002:a6b:b4cc:: with SMTP id d195mr17647954iof.0.1638491685958; Thu, 02 Dec 2021 16:34:45 -0800 (PST)
MIME-Version: 1.0
References: <152347.1638473207@dooku>
In-Reply-To: <152347.1638473207@dooku>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 02 Dec 2021 16:34:10 -0800
Message-ID: <CABcZeBMyZLSE2HZ2dL+P6Dq3hMaG2QgTRrUuAjHTB7pJpXTaMQ@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e8d06305d2331253"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/esXRyza6SfkdEvk6c0fanMYXhA8>
Subject: Re: [Add] add-enterprise-split-dns and split horizon DNS
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Dec 2021 00:34:53 -0000

On Thu, Dec 2, 2021 at 11:27 AM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> I have just watched the ADD-20211108-1600 session from IETF112.
> I had a conflicting session.
>
> What I took from the conversation is that many people would like to solve
> DDR
> in a split-horizon situation, and that if we could find a solution that
> solved typo-squatting by local resolvers that would also be very welcome.
> (typo-squatting is of course trivially solved by DNSSEC, which I'm told
> browsers refuse to implement because miliseconds...)
>

I don't know who told you this, but that's not the reason that browsers do
not
implement DNSSEC. The primary reason that browsers do not implement DNSSEC
is
because of concerns that otherwise valid resolutions will fail due to
recursive
resolvers/middleboxes incorrectly handling DNSSEC records, thus resulting
in increased user-visible error rates.

-Ekr


> The document says:
>
>    A typical use case is an Enterprise network that requires one or more
>    DNS domains to be resolved via network-designated DNS servers.  This
>    can be a special domain, such as "corp.example.com" for an enterprise
>    that is publicly known to use "example.com".  In this case, the
>    endpoint needs to be informed what the private domain names are and
>    what the IP addresses of the network-designated DNS servers are.  An
>    Enterprise can also run a different version of its global domain on
>    its internal network.  In that case, the client is instructed to send
>    DNS queries for the enterprise public domain (e.g., "example.com") to
>    the network-designated DNS servers.  A configuration for this
>    deployment scenario is referred to as a Split DNS configuration.
>    Another use case for split-horizon DNS is Cellular and Fixed-access
>    networks (ISPs) typically offer private domains, including account
>    status/controls, and free education initiatives [INS].
>
> and I'd like to strongly distinguish the case of "corp.example.com"
> (I've also seen and used "intranet.example.com"...) from one where there
> are
> different "authoritative" views of example.com.
>
> In fact, I'd like the document to put these two into different sections.
> I think that we need to write a BCP that strongly encourages
> corp.example.com
> as the model for hiding names.
> Dan and Wesley mentioned previous efforts that had failed.
> I'd like to understand more about what was proposed and how/when/why they
> failed.
>
> Maybe the issues are different now and we could get consensys around
> something.
> Yeah, maybe that does not fit into the ADD charter: but it seems that ADD
> (DDR) might be a forcing function to finally do something here.
>
> I don't like the solution in this document.
> I am in favour of solving the problem though.
> I don't like PvD at all.
>
> But, the entire issue seems to fall into the "Doctor! Doctor! It hurts
> when I push
> this knife into the electrical socket! What can you prescribe to deal with
> the hurt?"
>
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
>  -= IPv6 IoT consulting =-
>
>
>
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>

v2.23.0 | Report a Bug | By Email