Re: [DNSOP] [Ext] Favor: Weigh in on draft-ietf-ipsecme-split-dns?

Tony Finch <dot@dotat.at> Tue, 27 November 2018 15:02 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE1F6130EBA for <dnsop@ietfa.amsl.com>; Tue, 27 Nov 2018 07:02:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1sIySMh-_HLI for <dnsop@ietfa.amsl.com>; Tue, 27 Nov 2018 07:02:33 -0800 (PST)
Received: from ppsw-33.csi.cam.ac.uk (ppsw-33.csi.cam.ac.uk [131.111.8.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B95F9130E9A for <dnsop@ietf.org>; Tue, 27 Nov 2018 07:02:33 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:47564) by ppsw-33.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.139]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1gRese-000GtJ-i6 (Exim 4.91) (return-path <dot@dotat.at>); Tue, 27 Nov 2018 15:02:28 +0000
Date: Tue, 27 Nov 2018 15:02:28 +0000
From: Tony Finch <dot@dotat.at>
To: Ted Lemon <mellon@fugue.com>
cc: Paul Wouters <paul@nohats.ca>, dnsop@ietf.org
In-Reply-To: <033DE6CA-B75E-4B06-A39E-323DCBBBC7A5@fugue.com>
Message-ID: <alpine.DEB.2.20.1811271453020.3596@grey.csi.cam.ac.uk>
References: <CAHw9_iL6CpLf6h_ysWEjvNjzaU2TPk-SyVGzLs_J9Yk_5A4OmA@mail.gmail.com> <9DBE5370-BEA4-48CE-B9FB-356ED1CCC1E7@icann.org> <CAPt1N1m1NoJoBPWJ5L96WwjrF6QEzB93pRxZpaHJxoBMpxtVRw@mail.gmail.com> <B4F27495-AA1E-44B3-B0DE-C228E0EDC84C@icann.org> <B00FCC13-587A-4E33-8BC9-D708EB6B4399@nohats.ca> <033DE6CA-B75E-4B06-A39E-323DCBBBC7A5@fugue.com>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/fhlwYeanXJBi5Jn8-v1x3uc2_6M>
Subject: Re: [DNSOP] [Ext] Favor: Weigh in on draft-ietf-ipsecme-split-dns?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Nov 2018 15:02:49 -0000

Ted Lemon <mellon@fugue.com>; wrote:
>

Snipped and edited to add numbering for reference...

> 4. Split DNS, DNSSEC, trust anchor required because the hidden zone is
> under or at an unsigned delegation
>
> 5. Split DNS, DNSSEC, trust anchor required because the hidden zone has
> a secure delegation that won't validate

[ snip lots of stuff I agree with ]

> In cases four and five, you care enough to set up DNSSEC, but either
> can't be arsed to do it right, or don't have control over the delegation
> point and so can't do it right.  In the former case, I would argue that
> we should just say too bad.  In the latter case, we have just protected
> the end user from being attacked by saying too bad.

Case 4 is pretty common for RFC 1918 reverse DNS :-)

Really, I don't think this is (just) a VPN issue: the question of how to
install DNSSEC trust anchors for private zones has not been solved for the
general case, so a VPN-only patch seems premature and unhelpfully specific
to me.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>;  http://dotat.at/
an equitable and peaceful international order