IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns and split horizon DNS

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 08 December 2021 13:31 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE70E3A0806 for <add@ietfa.amsl.com>; Wed, 8 Dec 2021 05:31:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Eu-qDCT3kWPx for <add@ietfa.amsl.com>; Wed, 8 Dec 2021 05:31:33 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 099463A0805 for <add@ietf.org>; Wed, 8 Dec 2021 05:31:32 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id C39D338B56; Wed, 8 Dec 2021 08:35:11 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id A8O1rIFs_2n6; Wed, 8 Dec 2021 08:35:11 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 5C1BB38B55; Wed, 8 Dec 2021 08:35:11 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sandelman.ca; s=mail; t=1638970511; bh=x7UmjSqKfQTnp6Dh8M7m6jXeQS4/PcsnoPF7o4yN6gc=; h=From:To:Subject:In-Reply-To:References:Date:From; b=i4BzS2abGm3MhhAMFDS88OeHH4Jcsy2SLOe+uTeLShdUMoAIBzXwHmANSNn2rd4fY 1KqpBy5mru+1fp94ZwIEqFXsOtPWHRYGeiDDlvWs5Ji/i0Ptx50wInuVAbqUgb6Xax vwsPPyiAt1IeKWi3KuYrD4eQGfCCI0VzGuVDkm1zLREQ0WRVQZABCH2pyPJVnUMzb5 XlNa1KRocf3Ma6Z+GbSAPQIEFwuwyFBE9723RG5i8+ezvRa+pN3egYD+MhGk1H7lI/ 1GE3hqmuZP0+zyYiofLZ8NLm50Wx/fkQT5f3le3YO7s6AcEYBcCGnk1BGYEFTr3MXa TZk5uwLak2rCg==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 324CE65C; Wed, 8 Dec 2021 08:31:27 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Dan Wing <danwing@gmail.com>, "Deen, Glenn (NBCUniversal)" <Glenn.Deen@nbcuni.com>, ADD Mailing list <add@ietf.org>
In-Reply-To: <5320E6D1-7A19-457A-AD44-86B9AD849407@gmail.com>
References: <152347.1638473207@dooku> <CABcZeBMyZLSE2HZ2dL+P6Dq3hMaG2QgTRrUuAjHTB7pJpXTaMQ@mail.gmail.com> <8AF4482A-A656-4999-8127-39D94FC914AF@gmail.com> <C27FDD98-D80D-4DB8-83D7-3B1BB686F509@nbcuni.com> <16475.1638571910@localhost> <5320E6D1-7A19-457A-AD44-86B9AD849407@gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 08 Dec 2021 08:31:27 -0500
Message-ID: <11411.1638970287@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/hbyI6ljmtoNP6Qa8Q0o3vs6zTfc>
Subject: Re: [Add] [EXTERNAL] Re: add-enterprise-split-dns and split horizon DNS
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2021 13:31:38 -0000

Dan Wing <danwing@gmail.com> wrote:
    >> I claim that it isn't: that DNSSEC provides for corp.example.com delegations
    >> that satisfy all of the issues that multiple-views claims to solve.

    > I don't understand what is meant by "corp.example.com delegations".
    > Are you describing a delegation where the FQDN www.corp.example.com is
    > resolvable when querying a DNS server inside a network but that same
    > FQDN is not resolvable when querying example.com's DNS on the Internet?
    > Or that it resolves to different A records when queried inside versus
    > on the Internet.

That's why it would be nice if the draft explained this and gave it a name.

Yes, "corp.example.com" has an NS record in example.com which points to an IP
address/DNS-server that does not answer queries if you aren't within the
domain.

I have seen it in use at multiple places over multiple decades.
It works far better than having two authorities for the same name,
particularly for entities that have multiple points of presence with VPNs
connecting them.

{IPv6 makes this trivial, but it can also be done with less elegance using
RFC1918, if the enterprise has no public IPv4 and can't hire any. }




--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email