Re: [DNSOP] howto "internal"

Paul Vixie <paul@redbarn.org> Tue, 24 July 2018 16:10 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DE61131156 for <dnsop@ietfa.amsl.com>; Tue, 24 Jul 2018 09:10:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ryK8clAJmcIQ for <dnsop@ietfa.amsl.com>; Tue, 24 Jul 2018 09:10:18 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E8C3130F3B for <dnsop@ietf.org>; Tue, 24 Jul 2018 09:10:18 -0700 (PDT)
Received: from [IPv6:2600:100d:b118:3eaa:8508:f771:a76d:25e5] (unknown [IPv6:2600:100d:b118:3eaa:8508:f771:a76d:25e5]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id EA3FC892B9; Tue, 24 Jul 2018 16:10:17 +0000 (UTC)
Message-ID: <5B574F67.1090806@redbarn.org>
Date: Tue, 24 Jul 2018 09:10:15 -0700
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 5.0.25 (Windows/20180328)
MIME-Version: 1.0
To: Tim Wicinski <tjw.ietf@gmail.com>
CC: dnsop <dnsop@ietf.org>
References: <1cb82914-0bc3-9ea7-7f69-9dc826d19e48@andreasschulze.de> <2264d840-33cc-736c-668a-a537c4da4a30@nic.cz> <alpine.DEB.2.20.1807241623300.5965@grey.csi.cam.ac.uk> <CADyWQ+HZ4i2P9qK03xK_EvZYakdduKigH87QgZ4zfUwjHjL25Q@mail.gmail.com>
In-Reply-To: <CADyWQ+HZ4i2P9qK03xK_EvZYakdduKigH87QgZ4zfUwjHjL25Q@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/6dyOCIH-gpXpnXJ_GbGkN97kmX8>
Subject: Re: [DNSOP] howto "internal"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jul 2018 16:10:20 -0000


Tim Wicinski wrote:
> At my employer we use real domains, but do not expose them to the
> outside world (they just see 127.0.0.1).   It's a better than inverting
>   security through obscurity like I have seen elsewhere (not that you
> would do that Andreas).
>
> Paul,  I am not with 100% love of the .alt name./idea but I do agree
> that if we don't do something the Real Users (tm) will do something even
> more broken and horrific.

i also use real domains for my private stuff. but i also use RPZ locally 
for the internal bindings, not NS RR delegations that i'd have to keep 
out of my externally-served zone files.

-- 
P Vixie