IETF Logo Mail Archive

Re: [Add] some background on split DNS with DNSSEC

Bill Woodcock <woody@pch.net> Tue, 09 November 2021 15:18 UTC

Return-Path: <woody@pch.net>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A43E53A0FE2 for <add@ietfa.amsl.com>; Tue, 9 Nov 2021 07:18:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hsW2vUACzwuW for <add@ietfa.amsl.com>; Tue, 9 Nov 2021 07:18:35 -0800 (PST)
Received: from mail.pch.net (keriomail.pch.net [206.220.231.84]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CECEF3A0E7A for <add@ietf.org>; Tue, 9 Nov 2021 07:18:35 -0800 (PST)
X-Footer: cGNoLm5ldA==
Received: from smtpclient.apple ([2620:171:202:6be4:391d:22b9:94ac:3eb2]) by mail.pch.net (Kerio Connect 9.2.7 patch 3) with ESMTPS (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits)); Tue, 9 Nov 2021 07:18:32 -0800
From: Bill Woodcock <woody@pch.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_F1B45385-2845-4312-9811-956099C966C9"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Tue, 09 Nov 2021 16:18:30 +0100
References: <yblk0hio8pu.fsf@w7.hardakers.net> <28611.1636465525@localhost> <3692CFBF-4D06-4960-9F7C-347A58D2D0A0@apple.com> <aea95242-4e80-e4cb-b5bb-da34105e7ed1@lear.ch> <CAPt1N1kGs851Q_BMq1NDzm80xHbrKLJWwt1JzAmZAtafXeoqPg@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>, add@ietf.org
In-Reply-To: <CAPt1N1kGs851Q_BMq1NDzm80xHbrKLJWwt1JzAmZAtafXeoqPg@mail.gmail.com>
Message-Id: <BF4069C2-225D-4BA6-97FC-5CB6B09DA657@pch.net>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/nJ2Vel9ZWJ0_NwmWRDBkvpUi4Sk>
Subject: Re: [Add] some background on split DNS with DNSSEC
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2021 15:18:46 -0000


> On Nov 9, 2021, at 4:15 PM, Ted Lemon <mellon@fugue.com> wrote:
> 
> It might indeed be nice to consider a way to make DNSSEC work that acknowledges the existence of a shared public/private namespace. But it would have to be easier to operate than just operating two namespaces that both validate from the same delegation, which is what we can do today.

Can you elaborate?

If people are already maintaining two “views” of a namespace, and signing both with the same keys, how would it get easier?  I mean, short of not maintaining two views?

                                -Bill

v2.23.0 | Report a Bug | By Email