Re: [DNSOP] [Ext] Favor: Weigh in on draft-ietf-ipsecme-split-dns?

"John Levine" <johnl@taugh.com> Mon, 26 November 2018 19:03 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2777E130F4A for <dnsop@ietfa.amsl.com>; Mon, 26 Nov 2018 11:03:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=jEQGmgRE; dkim=pass (1536-bit key) header.d=taugh.com header.b=o76YvKYO
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i-iEjAk3fraR for <dnsop@ietfa.amsl.com>; Mon, 26 Nov 2018 11:03:56 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73E33130F59 for <dnsop@ietf.org>; Mon, 26 Nov 2018 11:03:56 -0800 (PST)
Received: (qmail 17804 invoked from network); 26 Nov 2018 19:03:55 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=4588.5bfc439b.k1811; bh=iYwxn03LBlWCMeIiN4ngVRff6b6REpOzONmtHa0c8kY=; b=jEQGmgREMNXtQB1lfiIsQb6dz3b5Yr/+PnicJpHc0XY3n2tI5227RPM9nOuPM12Qp/iABfP1bZH8RUYV3yz9geKo4zltLwIQFCQMCRGRy/z4se+TjYK/I/px6EDxMW8QhcX01DZMP2NfRjh5P2/2WAqWhFhN8DvVz3a5ajCp9aexaduSjfjgBoDR2caO3vbvyAugfILC7RRZeE6wQglV192I3e2RHOB8hGwMetURe8ohZJSiWAFeyoerX/zxWa35
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=4588.5bfc439b.k1811; bh=iYwxn03LBlWCMeIiN4ngVRff6b6REpOzONmtHa0c8kY=; b=o76YvKYO7OcJaqu9B1cMKREvuPvv5a6ukQR/VTOftQyCGNkcaswT0lcM53Fl76R+TSHtCyDEkECPJ38LcWvzw6Ha9ksornanoqrKo51SHfeRLCQ3M61mNsjPCXA/Pg9QytVhE0MY8fD2CV0IWsx7XECfrxiL9zL3xPtrSBhrMAh76izEQv0AK3HAQ1RgQq+h375pnTkH544wuRsSc3s/hjs+mlgw4ZGY6PR6BKXMQmIp/QOYUjbA3yR+ryQYkpDz
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 26 Nov 2018 19:03:55 -0000
Received: by ary.qy (Postfix, from userid 501) id 203262008E6E66; Mon, 26 Nov 2018 14:03:54 -0500 (EST)
Date: 26 Nov 2018 14:03:54 -0500
Message-Id: <20181126190355.203262008E6E66@ary.qy>
From: "John Levine" <johnl@taugh.com>
To: dnsop@ietf.org
Cc: paul.hoffman@icann.org
In-Reply-To: <B4F27495-AA1E-44B3-B0DE-C228E0EDC84C@icann.org>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/NDR-vNoYPycQ8X4nYcyh7vBEC9o>
Subject: Re: [DNSOP] [Ext] Favor: Weigh in on draft-ietf-ipsecme-split-dns?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Nov 2018 19:03:58 -0000

In article <B4F27495-AA1E-44B3-B0DE-C228E0EDC84C@icann.org>; you write:
>> Can you unpack what you mean by this?   I assume you don't mean that we should provide a mechanism whereby
>network operators can automatically override DNSSEC trust anchors! 
>
>For names that are only available within a trusted network, yes I really mean that. 

I agree with the sentiment, but when I'm writing my DNS validator, how
do I tell the names that are only available within the network from
the outside ones that the network operator is spoofing?

R's,
John