Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme-split-dns?

Paul Wouters <paul@nohats.ca> Fri, 30 November 2018 15:37 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 545BF130E08 for <dnsop@ietfa.amsl.com>; Fri, 30 Nov 2018 07:37:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cr_Dkb0-vCA1 for <dnsop@ietfa.amsl.com>; Fri, 30 Nov 2018 07:37:32 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D43B3130E19 for <dnsop@ietf.org>; Fri, 30 Nov 2018 07:37:31 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 435z6G2LNlzMPv; Fri, 30 Nov 2018 16:37:26 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1543592246; bh=cZGe5PhC7wAiMwf/ewz3UV/xlrGqqsBCmFYs+SAZ70A=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=E88hKIDVVJw3JwM6QLUoZaEP6ZI/2WlTAKRoHRrlkvzYP9zifsfZk50Wstw4PSn6g wtLkTHvimH3OFP+BmW5x/GzKs53xl0SDFD1CmMxyUom+2WHyNR6wr9Tde88HCmySAI aP2JF+FSlGRxzuJRYI+HI+tbqQ5mz2dmfiiJ2hSg=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id fjJBTLGcuEF7; Fri, 30 Nov 2018 16:37:25 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 30 Nov 2018 16:37:25 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 5641B4A2C9E; Fri, 30 Nov 2018 10:37:24 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 5641B4A2C9E
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 4CDAB41C3B30; Fri, 30 Nov 2018 10:37:24 -0500 (EST)
Date: Fri, 30 Nov 2018 10:37:24 -0500 (EST)
From: Paul Wouters <paul@nohats.ca>
To: =?ISO-8859-2?Q?Petr_=A9pa=E8ek?= <petr.spacek@nic.cz>
cc: dnsop@ietf.org
In-Reply-To: <209bcfb6-0bed-a6e1-616e-e2a4749f2dfd@nic.cz>
Message-ID: <alpine.LRH.2.21.1811301034250.22612@bofh.nohats.ca>
References: <CAHw9_iL6CpLf6h_ysWEjvNjzaU2TPk-SyVGzLs_J9Yk_5A4OmA@mail.gmail.com> <46B41554-ABC0-4939-99E3-703E1FD998D5@hopcount.ca> <alpine.DEB.2.20.1811261658250.3596@grey.csi.cam.ac.uk> <23550.37961.117514.513410@fireball.acr.fi> <CAHw9_iJ0XFzErwbUci_WmN1pzZHbapj2JNu4j2YbMFbBt-m+aw@mail.gmail.com> <7DE4235C-A00F-493A-A5A0-96FCF9C32621@nohats.ca> <209bcfb6-0bed-a6e1-616e-e2a4749f2dfd@nic.cz>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8BIT
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ahGp2ZsVmqTPEkv39sFrWP6wJNM>
Subject: Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme-split-dns?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Nov 2018 15:37:35 -0000

On Thu, 29 Nov 2018, Petr Špaček wrote:

> I'm wondering if we could add NXDOMAIN mandatory check and accept
> INTERNAL_DNSSEC_TA only if "external DNS server" resolves given name to
> NXDOMAIN.

You cannot do that. Imagine .company being run locally and publicly.
They might still be different zones.

While it would be ideal for companies to put all their non-public stuff
in one internal zone (eg corp.example.com), we cannot and should not
require them to do so. Although we surely recommend them to do so.

> It seems to me that it would eliminate most problematic cases like com.
> hijack etc.

And introduce lots of new ones :)

> Only problem I can see are cases where "external view" actually serves
> non-NXDOMAIN answers - I have no idea how common is that.

And I don't know how we would find out how common that is.

> What do you think?

I think in an ideal world, yes. but on this internet, no :)

Paul