IETF Logo Mail Archive

Re: [Add] some background on split DNS with DNSSEC

Dan Wing <danwing@gmail.com> Wed, 10 November 2021 17:42 UTC

Return-Path: <danwing@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EA613A121C for <add@ietfa.amsl.com>; Wed, 10 Nov 2021 09:42:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YwTphlv36SYH for <add@ietfa.amsl.com>; Wed, 10 Nov 2021 09:42:50 -0800 (PST)
Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97C433A11F6 for <add@ietf.org>; Wed, 10 Nov 2021 09:42:50 -0800 (PST)
Received: by mail-pj1-x1033.google.com with SMTP id t5-20020a17090a4e4500b001a0a284fcc2so2465805pjl.2 for <add@ietf.org>; Wed, 10 Nov 2021 09:42:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Dlb4butrCz7emx+6jL2N/tGYemk9qjrJqoaFuKXGbKY=; b=OOAR556Y3jiT6AJNU5+XkN+qA+6fnuI0wvNyrbZ5hCHwr68FZB8KzqahbhP7SAv83q fWIvKp/ued1/LVdQXJFbsA6/2Bngk5XtkabLu4W4wIPy1mcMRoVynb8L4PC2GHU8M9PK wzjxiGO2LgpXicnPpS30ZtU5sJjSYLy3zQ0pn7FimrwLM5IX+kWFEvKf2EpYF/kKvo4r t3UsYUkj4Sf/PDj0kS6QmrXoIRFLSZ/tqDFE5N+JSXJAD8RMUyRMLIt17SByucvGYy4b g/FShofXiEP26A0/eWwBCkXOK0FUcOrhR252tsFOzv5EwL/di+q7tT4Jr8BzJL2+RhI0 Gq+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Dlb4butrCz7emx+6jL2N/tGYemk9qjrJqoaFuKXGbKY=; b=gPyA/OCarv9SPZ+qe6A4/mN6hjiJ7IeWmlV8aeOIWWLZTyqADvJg2dMDsFiSR+P5rB QuwhNtTF3x/gQj48nvzneITAG6t8LqjBe3hu1VHLHgIBe7ezMsvBSBiiKEyt30PliCGr DEfGcWkPS80QS9cEgAS3V/SdRX5j7pE5mAUGLbC93S6y5S/rIh0ITXvelGpeMwT3sWdq uffhsSP08Kj5C+oEK8wzXYpm+a0gOVfpSkDZTYRndl5x8bpp0dYsyspqwEFuTFUtKHOx jytRP9pPEaJ+tcx9Nvg/ScVhL9l7iqe57JDKpSBzIw+n9QWgVZxXKNzJZ4qeEoklAkQG ybyQ==
X-Gm-Message-State: AOAM531AxyAOw5vZtBwDk21AM/ZRV+8mWBbjp4v8nOYE19aTFGR6SxBg Ll21CsNTsGPTRMUiST18GLw=
X-Google-Smtp-Source: ABdhPJzlctf1eKMneacFTRacK7D7NK/O6s/+CkDBoaubop5sRLyVm8TkHAWH3f4M01Mxtxg+skA09Q==
X-Received: by 2002:a17:90a:a389:: with SMTP id x9mr18607801pjp.167.1636566169308; Wed, 10 Nov 2021 09:42:49 -0800 (PST)
Received: from smtpclient.apple (47-208-218-46.trckcmtc01.res.dyn.suddenlink.net. [47.208.218.46]) by smtp.gmail.com with ESMTPSA id s6sm302384pfu.137.2021.11.10.09.42.48 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Nov 2021 09:42:48 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Dan Wing <danwing@gmail.com>
In-Reply-To: <DD51ECDC-9787-4DEB-A2AF-39C3CF2ABEE8@nbcuni.com>
Date: Wed, 10 Nov 2021 09:42:47 -0800
Cc: "add@ietf org" <add@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A3966F94-86DA-436A-903F-94724D3B5833@gmail.com>
References: <DD51ECDC-9787-4DEB-A2AF-39C3CF2ABEE8@nbcuni.com>
To: "Deen, Glenn" <Glenn_Deen=40comcast.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/s2l_TMZOJ0BpHn7Bx_PDzRDNWfs>
Subject: Re: [Add] some background on split DNS with DNSSEC
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2021 17:43:04 -0000

On item 3,

We could use DNSSEC to prove the PvD dnsZones is truthful to avoid asking the same question of the public DNS.  

However, we already need IPv6 (for RFC8801's PvD) and adding a DNSSEC requirement means we are deeper in the "room of non-deployability", a dreaded space for our D&D character.  That's why split-dns queries the public DNS:  the procedure in split-dns establishes a *similar* proof of domain ownership as DNSSEC could have provided.

-d




> On Nov 9, 2021, at 1:07 PM, Deen, Glenn <Glenn_Deen=40comcast.com@dmarc.ietf.org> wrote:
> 
> Item #1:
> 
> Chair dusting off his fancy chair hat and saying, before this gets too off track  ....
>     - gentle nudge to everyone to stay focused on the core ADD related issues here -
> 
> Item #2:
> 
> ADD may at times be willing to tackle some hard stuff such as how to discover encrypted DNS servers, but ADD is very much not chartered to take on something as impossible as trying to unravel several decades worth of various DNS and naming architecture choices that many of us would very much like to go back and have a second, hopefully wiser attempt at.
> 
> That is a topic that needs a stool, a beverage and the in-person ability to sigh, roll eyes, shake our heads mournfully and show the all wisdom we have gained by learning the consequences that come years later from decisions that may have made perfect sense at the time.
> 
> Item #3:
> 
> That said, what ADD is chartered to do is to look at how to do encrypted DNS resolver discovery in the environments that users do live in, and not just environments that we think they should be in, so with the background on DNSSEC that started this chain, and EKR's moment of actually putting a good word in for DNSSEC during the ADD session,  does the group see there being a role here for DNSSEC?
> 
> -glenn
> 
> 
> 
> -- 
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add

v2.23.0 | Report a Bug | By Email