IETF Logo Mail Archive

Re: [Add] some background on split DNS with DNSSEC

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 10 November 2021 20:08 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79B143A131D for <add@ietfa.amsl.com>; Wed, 10 Nov 2021 12:08:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1HyCS_3s-X9f for <add@ietfa.amsl.com>; Wed, 10 Nov 2021 12:08:44 -0800 (PST)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00:e000:2bb::1]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31B4E3A1533 for <add@ietf.org>; Wed, 10 Nov 2021 12:08:21 -0800 (PST)
Received: from dooku.sandelman.ca (cpef81d0f835a73-cmf81d0f835a70.sdns.net.rogers.com [174.115.215.42]) by relay.sandelman.ca (Postfix) with ESMTPS id 3149D1F47B; Wed, 10 Nov 2021 20:08:14 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 216F31A0548; Wed, 10 Nov 2021 15:08:13 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Tommy Pauly <tpauly@apple.com>, Wes Hardaker <wjhns1@hardakers.net>, add@ietf.org
In-reply-to: <3692CFBF-4D06-4960-9F7C-347A58D2D0A0@apple.com>
References: <yblk0hio8pu.fsf@w7.hardakers.net> <28611.1636465525@localhost> <3692CFBF-4D06-4960-9F7C-347A58D2D0A0@apple.com>
Comments: In-reply-to Tommy Pauly <tpauly@apple.com> message dated "Tue, 09 Nov 2021 06:47:28 -0800."
X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 10 Nov 2021 15:08:13 -0500
Message-ID: <398007.1636574893@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/gA6py7GqhtSgwAI31t9V8Wqfm0o>
Subject: Re: [Add] some background on split DNS with DNSSEC
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2021 20:08:50 -0000

Tommy Pauly <tpauly@apple.com> wrote:
    > Having a specific zone / subdomain that’s used for non-public hosts is
    > certainly a clean way to handle split-DNS cases. This allows for simple
    > techniques like failing back to some internal resolver when you don’t
    > have an a priori mapping of which names should use the internal
    > resolver, and it makes cases where you have a trusted list of internal
    > domains (like VPN) very simple.

If the VPN has to be up to reach that internal resolver, then the act of
looking for the name brings up the VPN.  This is a major win over the case
where the VPN is down, and the user types in some internal name and is told
it does not exist.

    > Sadly the reality of so many deployments is that there isn’t a clean
    > cut for “internal” or “private” names. Maybe we can hope that
    > deployments that use dual-facing or dual-resolving hosts will
    > eventually stop, but I don’t see that happening any time soon.

CNAME can pave over may failures where a previously public (or privately
private) service can be moved.   This isn't possible if there are two views
of the same example.com.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email