IETF Logo Mail Archive

Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme-split-dns?

Ted Lemon <mellon@fugue.com> Mon, 26 November 2018 17:32 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03C75130DC9 for <dnsop@ietfa.amsl.com>; Mon, 26 Nov 2018 09:32:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.358
X-Spam-Level:
X-Spam-Status: No, score=-3.358 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cRtpCa48SXac for <dnsop@ietfa.amsl.com>; Mon, 26 Nov 2018 09:32:07 -0800 (PST)
Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B24941286E7 for <dnsop@ietf.org>; Mon, 26 Nov 2018 09:32:07 -0800 (PST)
Received: by mail-qk1-x734.google.com with SMTP id a132so12827708qkg.1 for <dnsop@ietf.org>; Mon, 26 Nov 2018 09:32:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+mDGcAbmkqAa1mwZznsSu9YiFU3qt8jMmk75ZoVDBqw=; b=Z0eVvt3oasKANy2Q6fDygLiS3ORQ8PEukkvViRmQreodvipFIEwrtQdyNcBaNGcu5R /nRVpkbVFH3zYZwnYCbaH7G2mbJ/bXgCAUV2r/WbL8gPSWk2zMmxLNPrq0zqjTpx44rz h54gmQbz4FIgesdHiTNg6d4W123tPFU5WZj00BuUHnphkqsq8yTWInNpdaUmWzH/g9+Y 1NmhS9IHdEDZ+S97SOQLdyzLeiahRS0lSNDu7f1sAG9xhNOV5Yxr9pW2wZh9s42wXjCS AD2SttFsk+IVIVvHdAWM8MmLMS+2/qTdoBhCfyZW6Yr28HQ2STKBA/u/QIk71Obw+DqH 821g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+mDGcAbmkqAa1mwZznsSu9YiFU3qt8jMmk75ZoVDBqw=; b=r9GXdHO12w//UjCdwsqb/L+898yXlqebX5X5OfsGQWxpo1vkAaDFYYodHMhhrdrA4b 5UryO8U6ULEi9iBxSlbkKgig+gqiVRf0WZ3AuFPF6E76WnXCsO0uYvmH78PMRTBYfYOQ HQYaHaeL7UhOIaZ9ZomkDg4jwwHWe4OFGZcpmthZkuofepMuh+pfOwKu1GzN9nECm7Wo pr3ZV4xoBX5LBaSdoW/eMsId0ivCea6N69VHc4IZxEQTVaPabWPeKzFSwrywT/M35o90 /bGLLtufG/xetgfWN0KjccX+d+Ot6kDpo7beYyTKd+Jhf5fo8Kaj8jWE/+vJh1G/FTbX Zkog==
X-Gm-Message-State: AA+aEWbAos7e/oE/4h1XbTs94CR4QX9m/+SIWd2Dh7DGdjO9aBS676XF grs8UijSj3Jz/6Gneavm6ZAgMkllA1NQowqw4LQb9Q==
X-Google-Smtp-Source: AFSGD/WhjCXNnHC8BLzNlp0j0saOplDyyFyXe6zh3rGBCemvhSLfUovkttQXXYO2ILAaKTxZZhhk05S0H3uOgvyn4Ek=
X-Received: by 2002:a37:e406:: with SMTP id y6mr25872664qkf.216.1543253526616; Mon, 26 Nov 2018 09:32:06 -0800 (PST)
MIME-Version: 1.0
References: <CAHw9_iL6CpLf6h_ysWEjvNjzaU2TPk-SyVGzLs_J9Yk_5A4OmA@mail.gmail.com> <46B41554-ABC0-4939-99E3-703E1FD998D5@hopcount.ca> <alpine.DEB.2.20.1811261658250.3596@grey.csi.cam.ac.uk>
In-Reply-To: <alpine.DEB.2.20.1811261658250.3596@grey.csi.cam.ac.uk>
From: Ted Lemon <mellon@fugue.com>
Date: Mon, 26 Nov 2018 12:31:30 -0500
Message-ID: <CAPt1N1m5bDYmuO2MRA4ZkQ4d6jBbhR551bHF2gCRSpZGNsbcrQ@mail.gmail.com>
To: Tony Finch <dot@dotat.at>
Cc: Joe Abley <jabley@hopcount.ca>, draft-ietf-ipsecme-split-dns.all@ietf.org, dnsop WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000040b253057b94b6dc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Io0qs7Xe-wZlp7qNh-CHJ7uFnFk>
Subject: Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme-split-dns?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Nov 2018 17:32:10 -0000

If there's no delegation from the root, and it can be validated that there
is no delegation from the root, then the attack surface that this draft
provides is that your corporate private DNSSEC on foo.corp can be
overridden by the VPN.   So as you say, Tony, even in this case, the right
way to do this is not to allow the VPN to provide the trust anchor in-band.

On Mon, Nov 26, 2018 at 12:05 PM Tony Finch <dot@dotat.at> wrote:

> Joe Abley <jabley@hopcount.ca> wrote:
> >
> > It seems to me that the intended use-case is access to corporate-like
> > network environments where intranet.corporate-like.com might exist on
> > the inside but not on the outside.
>
> More likely cases like corporate-like.local or corporate-like.int or
> like.corp etc. usw. :-(
>
> Private DNSSEC trust anchors should be distributed in the same way that
> you would distribute corporate X.509 trust anchors.
>
> Tony.
> --
> f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
> an equitable and peaceful international order
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email