IETF Logo Mail Archive

Re: [Add] WG Adoption Call draft-reddy-add-enterprise-split-dns

Andrew Campling <andrew.campling@419.consulting> Mon, 16 May 2022 12:44 UTC

Return-Path: <andrew.campling@419.consulting>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9B82C1850D3 for <add@ietfa.amsl.com>; Mon, 16 May 2022 05:44:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.12
X-Spam-Level:
X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netorgft5189650.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VimbAjofowfu for <add@ietfa.amsl.com>; Mon, 16 May 2022 05:44:21 -0700 (PDT)
Received: from GBR01-LO2-obe.outbound.protection.outlook.com (mail-lo2gbr01on060b.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe15::60b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1465C180A8D for <add@ietf.org>; Mon, 16 May 2022 05:44:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Wv8Otaxh6dnQ0c6kogelCr0kCFSlI1BJDqP7rhANLqYkjorsSGovnRFctr+PqOo8sq7TWzunr6DUHV6xAzLWICcxXGtxhvyRUPFroBHQKDqloPrnGR6YwlqDD90jQ3BuZXurCNVS302ace8fF/hye9c+g0V6OJNbH1twWCrzixYjJf0F6CoyGXgkZfWxIO0w8mzXLglzGTI/0+m7jhkhvjkglBGBMwPeLM1UlVSdAGOAgJo4eZdMvr4CcfkcJwdWIUTPuc9Go/SN9j2GVfdGsto5FWE17OGmd8mwBix0nE38hPcxqO4zgoSUVSLwJ5yvFiHRoXJDPsgfk+nOv8MgGA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=vtisxD8gGUxchVasKBwa105osDlqtUpHj0U6lOyDEGs=; b=Hw+CX/6W7puWJkAxVuV2BHz7/4lCqLki42yt4kyUl8LQIGPTm7Lj7yyVhz4CxAIDIuFavg6pSf9udtkQDwjH8YOfsG4tjz7t1ZNiVgF1KZURrDpCh/RtQo8dqa4l1F1B9tzHklLUQk/eOw9+WOfnUY/ChBvWx2aR9tFM+TtPfXq53fKrHoa8Zrfdfwxee56y7VwhnTiBYMTS0IUPA5wMPY7K2PqlJiX9nWCxarWpgfF/cUubofw/WuOKMV00bHGGdDWjf6c7/QNSmf41uzXPuYb6UKoX9ARXBW1hqVnbX25Ch8pF1/Kb1UuwL4N+YMgEhPoQc6vAGcmNZNh9r2qYtg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=419.consulting; dmarc=pass action=none header.from=419.consulting; dkim=pass header.d=419.consulting; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT5189650.onmicrosoft.com; s=selector1-NETORGFT5189650-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vtisxD8gGUxchVasKBwa105osDlqtUpHj0U6lOyDEGs=; b=puFn3Sqpged0w+hewWEjLgaGDKXuz6eLyHpwruPs2RlrrwO1YXg0ijvtXWxZsAJLvuezUjd93Hz2XT2QYM8rdhLYCeUDm7KAoHUhea7dXRgl8AwYvLLaTLqADOiwCFPQYUIAxMh/OvHsP+OFi4qsOOFLO1gSDZtQEZipjDJm214=
Received: from CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:196::5) by LO4P265MB3840.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:1c9::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5250.14; Mon, 16 May 2022 12:44:17 +0000
Received: from CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM ([fe80::41de:46a5:663e:c359]) by CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM ([fe80::41de:46a5:663e:c359%3]) with mapi id 15.20.5250.018; Mon, 16 May 2022 12:44:17 +0000
From: Andrew Campling <andrew.campling@419.consulting>
To: Tommy Pauly <tpauly@apple.com>, Eliot Lear <lear@lear.ch>
CC: Paul Wouters <paul@nohats.ca>, "bemasc@google.com" <bemasc@google.com>, ADD Mailing list <add@ietf.org>
Thread-Topic: [Add] WG Adoption Call draft-reddy-add-enterprise-split-dns
Thread-Index: AQHYaSKmvJwBNDPAW0iGJVolFE2Hbw==
Date: Mon, 16 May 2022 12:44:16 +0000
Message-ID: <CWXP265MB5153A41F1A4033CE72CB8763C2CF9@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM>
References: <BYAPR11MB3111FD2D0FF61231304A5F3DEAC29@BYAPR11MB3111.namprd11.prod.outlook.com> <CAHbrMsAcpHFon+JS9jsLdqANt+1FmkA_VDAwW4PSUDMJwtbavA@mail.gmail.com> <14b56185-4fe3-8e4b-adcf-22ddb624329@nohats.ca> <6091dcb9-0d91-6666-2c3f-ae8da960242b@lear.ch> <4184DE80-6C80-463F-9045-66100F5AFDAF@apple.com>
In-Reply-To: <4184DE80-6C80-463F-9045-66100F5AFDAF@apple.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=419.consulting;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8796ac3d-c850-4fe0-4563-08da3739ca23
x-ms-traffictypediagnostic: LO4P265MB3840:EE_
x-microsoft-antispam-prvs: <LO4P265MB3840D02B31C5F76BECA7B039C2CF9@LO4P265MB3840.GBRP265.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: iBhx3xEcETOgNXWwbveGA/YAnc92vY0085RX4pdQWUOhkZBwLd+QNjzyADYr6Un5GS7NQRj08ZekEysle/58b5S3Q3S70yNsSLpx/2urekmC/XosIP+8Es440cWwDWKtxjZ1a0Z8K7k4RiDJq0yhITR5+nbp7I7X9yS7Tjhv1llRZ1nQlsnEmqm2Vnu61Wv+EYYVcwgNo8NfmURQ8Hh17Ly5S1f9AIndMKdM0pPN2tgHhT6ojOCjmdh/WJ/5SkBgvxX3LYKggNU3DJM8InXLf1UluF30pPQ9nRZhen/XOIGQxecjW6NSoyZPCkGBdXpiGHHjCM/+APTgxOwmgRZZEeehLgHXPS9y8wbM+8Fc1que1IlZZVuiyDYl1fvx6Ok6cVH+XKYrBoK8uenaplI07w1xMoL4scRkuwNibNrVFQhHkB+JbQfgbbbB4gRFqPiacH93xCiMTZskqJEV005qgCJ2ncRM9J3pYC3JoomH4Rkq/YKYKoblwD49Um7fWnXyTsVZTxYXXIFKkJDynrr1FSSapgdFDZ9QQfTJLi8Sxz28xX/Oe/2kPyD9DxK4Mb797SpF2mYVwaEnWLWpf3IH7uc+up/Y1i0SwnQUDYxyN03sIr9tT6uUN2Wx+tNUKUEa3dR0YN20FXplx3QEgHMNgr6zvHgYCUn7wqe28b5DaNoyu1H84CvafgYsEuvyrkjbXfXUzdjhr7V/rq1CEPFWyjJ/jPVP+lPLUoAliZL08S5SgRto7R4aNLLPXLr44kYhKiHqgDey45mkvPucpjMPmaQcM0eoQhVf+eL8oYCtxVR+HFI4heXYk+WJf3NGcW+A
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(376002)(346002)(136003)(39830400003)(396003)(366004)(110136005)(76116006)(55016003)(54906003)(4326008)(26005)(86362001)(41300700001)(38070700005)(38100700002)(66446008)(64756008)(8676002)(122000001)(186003)(83380400001)(316002)(53546011)(9686003)(7696005)(33656002)(5660300002)(44832011)(966005)(6506007)(52536014)(2906002)(8936002)(71200400001)(66476007)(66946007)(66556008)(508600001)(46492015); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 3TIBrKuLkHqPUbADDy0MewpE0E4oWFV8EuXzvX581ioeALlxMAT6rhc7cDpzYVTuGUWKYdNztfEpHJIEFcuLZbYz08A3XXtUHSzId7vuUPTpoy6tyoo9tWUElhSjg9hA7j0ZinFoQFsg1EDeXuDmevUUakjESsYqpPZM9h5hSRR21e8fC/BNmg2iAxtfVdOqG82xKprP0wmX+fNmJFihpT7RjOqxfwJWTBug+4kLkWCQCgtNtzI4bS1PG62Hn/r2dD7OAMsK8p9gUUnPKUYZbBcBRrcjNBan8kfQL0H4x22NJbyDXzIVjQW2fKmk6vUbrWQRiDaQpqWgmSpS98Uls02ZhsgdQcHVl1iQpLD9Udz3eVqjIiN/1d5GMH/q3IzMVaAwLpaxrg5RWviWlKxUYRB59zBwB1QAvUcpk81wvKLJ9sjn4mQCDcAEq0mej3mhEvEDWJsVKv8NJe7O9zNdqffy0asLrAMb8RgrcE+h5IfqBw7w7/FJKLkR6a7H3SVZG736SKvBym9H/f1rS71DW91lD4F+5czkilTDQ3ju1pCcA45YxC6Cck/aUGAmj4d5IsjjNq+YPv3/XwOfIm8N0YhjuKMEONUqzYiL7ixltkosFwf1i9SC40PHPxjGvyt8+/c2iueUFl2R4HDMmkcMium4CdV0TQ0yqlMI/Ei4UExtXWllq1ZYImVQTNksn2R7Ge4b30W3G5be+eJmNK2qnxa0Ze3bobYl8UHQp0g3GtTdhsjEKqkGtNfqqSEnMJ62pIAI9QjzYU0E+3GhCjGCjsF60KghX9ZiGvW7LON/AgGx0F85WAGSOpubj0hnNKG9mVNUUSZj6IqKhorSJWajqyqgwD06Tp2UNxob24QL8m73UxQWg2bya6pWGeq3Fxf3CGJvx/+tBBEcn346gZzotI77IuACKt4fyxoLP41XBdkZi/Qdt3xVhrbgXE7Eqb107kbt5V5JZyFz4lUDRb3KycOTACGFawObYIAh1hfpmMgNTwdlctMVbiUv9LXb3SFWAYdo6bG2b5SXY7Pd1oqAtF6xmucKEBgBsdREjlkBj8PlDZO1v93+BZs4t1sE0l1rqgkcm8wBGBA8RfT7LbX/+1H58sZNHcysWJ4Zv95VIdLCxDHf0nKHZwpuJvOcqNAnv9wL8I29LS5bCqla1HONEqYOT9k8ldaBufpoLrzGNPdx3yp86V1YBEKHsjEwIzmPmFnZ+qzkPTFb1nqJz3+IEkMrWEbhMqkkwKmx3WvgsBcveddXYMFQn0PZB7SxFbWBTNeYO0tHZ0WFzq1xU4KZeG8VO96yzueKef4ssRKxrmnc3Oze5SG5iWN6YL9MeP3G4bRtegKM7f24y4IlXDtP1P6uEp+Iw9ohXDP71B1zEJo4r/SEHmvRrFVEJfnUe/KzGZYuoVCwYt07ke0TtvreRJxhwyQNFDxkdJK/MhOKwzbI4mo2OMBZEuZJw2Eb/rKTRD5GfmGPqjXjkeIktnhJY6omD/30MSjEK+l/jYuYlYMTgPXNfJmf1uF3e0mN1lSbvaM/VgOXNsfgocn9P51WTr6EjulQs7v3Q+LXL9dIZ7RHT8g4NylffUQkgkO8h0gHSJBy+s8Wm/nMQTxYzlHDxw49RAolhDzt4ueqbVviH2cOpGE5k7//s/uE8Fj94hcF37gvIu4AvxmBOfUJTjvZ8QnlDUZJB6oaFdZ3aHqiPLABjq4wMEuM5teSaabUq1auk1gq0RxcEhHLkHbdVlluHiEjC67neYRwPNvRaJS1SVU=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: 419.consulting
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 8796ac3d-c850-4fe0-4563-08da3739ca23
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 May 2022 12:44:17.0162 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9c2ced3e-7522-4755-87dc-f983abc66ec3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 48QVVZ9u7xswvx3pwOcr8zoKtwG+9D/Im3vSbYyW7GuPgmp4Srua2OmlOmqkADX7HYtgzKvAinA6sNQZkGBt9QawcrMPhtzCCumPdeNyq78=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO4P265MB3840
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/s9bM5ld5BBST6UpoVf_HJfs6kBo>
Subject: Re: [Add] WG Adoption Call draft-reddy-add-enterprise-split-dns
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 May 2022 12:44:25 -0000

I also agree that this is a valuable problem to solve and support adoption by the working group.

Andrew 

-----Original Message-----
From: Tommy Pauly <tpauly@apple.com> 
Sent: 14 May 2022 00:25
To: Eliot Lear <lear@lear.ch>
Cc: Paul Wouters <paul@nohats.ca>; bemasc@google.com; ADD Mailing list <add@ietf.org>
Subject: Re: [Add] WG Adoption Call draft-reddy-add-enterprise-split-dns

I generally agree with this sentiment. I think this document needs refinement and a lot of discussion of the mechanisms, but this is a valuable problem to solve. I think this document represents one starting point, and as long as we’re willing to evolve the mechanisms based on the working group discussion, I support adoption.

Thanks,
Tommy

> On May 13, 2022, at 1:19 AM, Eliot Lear <lear@lear.ch> wrote:
> 
> Hi,
> 
> On 05.05.22 21:57, Paul Wouters wrote:
>> The only real solution I see is one similar to the IKEv2 split-DNS 
>> case, one where there is basically an authenticated and authorized 
>> provisioning step that enables the user to join an "enterprise network"
>> wich can demand all or a subnet of DNS traffic which the user is 
>> required to opt-in to. And even that is tricky when a user is kinda 
>> forced to accept to get any connectivity, say in a hotel or 
>> coffeeshop (or repressive regime)
> 
> I think you are aiming at the fundamental problem, Paul: is there a way for the user to decide who to trust.  Ben's pointed out the UX problems with answering that question.  For enterprise assets that clearly has to be the enterprise.  The only question really is how to bootstrap trust in the enterprise.  Any draft trying to address split DNS has to assume that has happened.  That part can't be in scope here.
> 
> What this or any draft has to do is be a bit clearer in stating that and then show how that bootstrapping of trust is leveraged to address split DNS, either via resolver selection at a gross or fine level, or through other means.  Right now I think it is trying to demonstrate that through multiple mechanisms, and that is what is making things rather hard to follow.  That's because there is no one-size-fits-all solution because enterprises come in many shapes and forms.  To some, leaking a modest amount of NS records is okay.  The pollution argument you raise is only relevant in as much as domains outside the enterprise control would be polluted.  If that's not the case, then it's a matter for an enterprise, and nobody else's business.
> 
> So I support adoption of this draft, but I do think it needs a lot more work to be clearer on the bootstrapping that is occurring.
> 
> Eliot
> 
> 
> <OpenPGP_0x87B66B46D9D27A33.asc>--
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add

v2.23.0 | Report a Bug | By Email