Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme-split-dns?

Paul Wouters <paul@nohats.ca> Thu, 29 November 2018 05:35 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34D88130DC1; Wed, 28 Nov 2018 21:35:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B9tmbTok0_Lg; Wed, 28 Nov 2018 21:35:20 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C806012F1A2; Wed, 28 Nov 2018 21:35:19 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4355ny2YxTz1J7; Thu, 29 Nov 2018 06:35:18 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1543469718; bh=hZMRM+K1mJBc2nBWJXedmS3TTQGK69OdVjP0bDZuJxI=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=Zm7+i4iavSgjV4QLkrbbYw0NrrrePXX4lnP/6AzIqTHaMumGApXoeekfxAwDet43j cezYpg5MopTtqDA7w2WMDuTz9EQveFjuVarqnmOqeaGpFQrzg9byaJJkTvGKRrHXxa pW5fO9ItcCfoTvBJrunpT+F66czGQuDtPAbyFsKE=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id iN_8i4R_UAG7; Thu, 29 Nov 2018 06:35:17 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 29 Nov 2018 06:35:17 +0100 (CET)
Received: from [10.129.193.166] (unknown [223.197.192.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id 05CC14081E4; Thu, 29 Nov 2018 00:35:16 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 05CC14081E4
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Paul Wouters <paul@nohats.ca>
X-Mailer: iPhone Mail (16A405)
In-Reply-To: <0C6C1166-FA77-4748-816C-B7F7D0A21058@isc.org>
Date: Thu, 29 Nov 2018 13:35:12 +0800
Cc: Warren Kumari <warren@kumari.net>, Tony Finch <dot@dotat.at>, dnsop <dnsop@ietf.org>, draft-ietf-ipsecme-split-dns.all@ietf.org, Joe Abley <jabley@hopcount.ca>, Tero Kivinen <kivinen@iki.fi>
Content-Transfer-Encoding: quoted-printable
Message-Id: <1FA8BAD0-C864-42A1-B7BE-B326E76A38D2@nohats.ca>
References: <CAHw9_iL6CpLf6h_ysWEjvNjzaU2TPk-SyVGzLs_J9Yk_5A4OmA@mail.gmail.com> <46B41554-ABC0-4939-99E3-703E1FD998D5@hopcount.ca> <alpine.DEB.2.20.1811261658250.3596@grey.csi.cam.ac.uk> <23550.37961.117514.513410@fireball.acr.fi> <CAHw9_iJ0XFzErwbUci_WmN1pzZHbapj2JNu4j2YbMFbBt-m+aw@mail.gmail.com> <7DE4235C-A00F-493A-A5A0-96FCF9C32621@nohats.ca> <0C6C1166-FA77-4748-816C-B7F7D0A21058@isc.org>
To: Mark Andrews <marka@isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/PxPi_Yl3QKkwFnaQxejy6zcnLPg>
Subject: Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme-split-dns?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Nov 2018 05:35:21 -0000

> On Nov 29, 2018, at 09:20, Mark Andrews <marka@isc.org> wrote:
> 
> You can also just publish DS records for both DNSKEY RRsets with the caveat that
> both RRsets have to have all algorithms as is published in the combined DS RRset.

True. But than you are publishing non-public internal network details on the public internet. And you still have to get different DNS groups to work together to update these in time. We thought it better to just whitelist the domains in the provisioning system and have the VPN gateway (automatically or manually) pull/update the proper DS records.

Paul