Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme-split-dns?

Joe Abley <> Mon, 26 November 2018 16:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 85CDA130F2D for <>; Mon, 26 Nov 2018 08:31:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uFLBHTPsUokx for <>; Mon, 26 Nov 2018 08:31:08 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::b33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C1016130F26 for <>; Mon, 26 Nov 2018 08:31:07 -0800 (PST)
Received: by with SMTP id t13-v6so7721429ybb.8 for <>; Mon, 26 Nov 2018 08:31:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=ZTlzK4Q+fHH81NWNRtYkfLoSMaZYdS9qqGuY4Yj5ibw=; b=mBJyUttG19RqLtpWq/n9FYJ0NkUFJHzIbrGOzwryrZG/fF8wdwaPaE4i0j5LifJvkg eod8xmeQhimUoLu3frcA9ceyfcF6XCzImL2AwOZeVLYClwwlO/AhhlVKMengUBU+siE2 G9C6g6vTPvqNoanUtkgHSQyeE59ix6Po6Ajxo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=ZTlzK4Q+fHH81NWNRtYkfLoSMaZYdS9qqGuY4Yj5ibw=; b=SLIiYLluVxTtsOeKjeZTonLHfyaRuF9EXfuVart62NBKiEfOGHfvQs9SiRiEqPyW/g YOPb2lcmYFxTdNRgrawD+98/NSzCsjBY+y6mepMNREBaiHS/xi4xzxF8yL/P8JbfeSXc 1GkES/fbW59Dhx8OTzRm1QqswhRDwYCwvth70A9YF3h5wmnrwhtA3ZC/cR3LyzfTATs9 +AMtdt57JsEo8I1IGR2YuF43zWwxPjKKUVCdMPuKJwcMb+WgjQ2gpD9O9CoNbNvR8Yn2 Kv5bKEsYC75JxWk9PLVQeEta8tFen6LPC74EjMUR9gIwamvvQCEh3olFfwQdBoNGA9Xi 14eA==
X-Gm-Message-State: AA+aEWZReHojroalXVf7vhgbkkbd0Qdaf9DB8wVrBeVBibMWqqf3UqlH MrCNNGHNk8ujgHRd+LHpnQ/KVdmtl40=
X-Google-Smtp-Source: AFSGD/XXdx8XkcZwW9d4WGAShJrlYQF8jBDU/dZ5mDMrFRaOhUROq2489j3m47Yx8vusckjicXaHeQ==
X-Received: by 2002:a25:3b13:: with SMTP id i19-v6mr26599704yba.170.1543249866564; Mon, 26 Nov 2018 08:31:06 -0800 (PST)
Received: from ?IPv6:2607:f2c0:101:3:b57d:f87e:cba0:7789? ([2607:f2c0:101:3:b57d:f87e:cba0:7789]) by with ESMTPSA id l140sm449154ywe.77.2018. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Nov 2018 08:31:03 -0800 (PST)
From: Joe Abley <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_4419D50D-93CE-4596-B276-9D74FA988C00"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
Date: Mon, 26 Nov 2018 11:31:01 -0500
In-Reply-To: <>
Cc: dnsop <>,
To: Warren Kumari <>
References: <>
X-Mailer: Apple Mail (2.3445.101.1)
Archived-At: <>
Subject: Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme-split-dns?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 26 Nov 2018 16:31:13 -0000

Hi Warren,

It seems to me that the intended use-case is access to corporate-like network environments where intranet.corporate-like. <>com might exist on the inside but not on the outside. Whether access is through a VPN or WPA2-protected WiFi or an RJ45 jack on the wall in a locked room seems orthogonal to the problem space, so I'm not sure why the VPN example needs additional facilities that the others don't have.

If you sign both your internal-facing and external-facing view of your zone with the same KSK, surely you don't need an additional TA to make it work in any of those example cases? The DS RRSet in your parent is all anybody needs.

I share your concern that there's no obvious way to limit the scope of the TA when the only administrator in the picture is a baking-obsessed, jet-lagged, non-technical user in a hotel room at 4am.

In general, I think dissemination of a new TA to a validator is a serious business and shouldn't be done quietly if there's a chance that a non-technical end-user is driving.


> On 26 Nov 2018, at 11:17, Warren Kumari <> wrote:
> Hi there DNSOP,
> I (and a number of IESG folken) would like some feedback / guidance on draft-ietf-ipsecme-split-dns.
> This document (which has gone through IESG eval, and on which I'm currently holding a DISCUSS) attempts to solve the problem of accessing internal domains when using a split-tunnel VPN.
> Here is the abstract:
> "This document defines two Configuration Payload Attribute Types
> Exchange Protocol Version 2 (IKEv2).  These payloads add support for
> private (internal-only) DNS domains.  These domains are intended to
> be resolved using non-public DNS servers that are only reachable
> through the IPsec connection.  DNS resolution for other domains
> remains unchanged.  These Configuration Payloads only apply to split
> tunnel configurations."
> Okey dokey, this sounds reasonable, and solves a problem which probably shouldn't exist, but does.
> The concerning scenario for me (and where I'd like the WG to provide feedback if I'm being overly twitchy) is:
> "The INTERNAL_DNSSEC_TA attribute type is used to convey a DNSSEC
> trust anchor for such a domain.  This is required if the external
> view uses DNSSEC that would prove the internal view does not exist or
> would expect a different DNSSEC key on the different versions
> (internal and external) of the enterprise domain."
> Let's say I'm visiting Elbonia and really really want to watch "The Great British Baking Show" on Netflix. Elbonia blocks all baking shows[0], and so I figure I'll fire up my VPN, provided by "VPNs-R-Us - only $1.99 per month, don't torrent without it!".  
> As you can guess from the name, VPNs-R-Us is sketchy, but, hey, they were cheap! (They make up the profit by being malicious).
> So, I fire up my IPSEC VPN client, and it pops up a box saying "VPNs-R-Us wants to provide you with DNS servers for [.com, <> ] and DNSSEC Trust Anchors for the same. Continue [Y/N]?". Being a users, desperate  to watch Paul Hollywood disapprove of someone's puff pastry, I click "Yes" (admit it, you would too!)..
> I then browse to <> to see if I can buy a shirt just like Noel Fielding's.
> My DNS request goes to VPNs-R-Us, who (because they have provided me with a DNSSEC TA for .com) answers with and a "validly" signed DNSSEC answer. They also "helpfully" provide me with a TLSA record, and when I connect provide me with a certificate with the DNSSEEC chain extension..
> The document attempt to mitigate issues like this with: "Other generic or public domains, such as top-level domains (TLDs), similarly MUST be ignored if these appear in a whitelist unless the entity actually is the operator of the TLD. To determine this, an implementation MAY interactively ask the user when a VPN profile is installed or activated to confirm this.  Alternatively, it MAY provide a special override keyword in its provisioning configuration to ensure non-interactive agreement can be achieved only by the party provisioning the VPN client, who presumbly is a trusted entity by the end-user.", discussions in the Security Considerations, etc. 
> I believe that the document is trying to solve a real world problem, but I'm concerned by the ability to push DNSSEC TAs, and rely on user's ability to make an informed decision (keeping in mind their behavior when presented with big red "Are you sure you want to accept this random TLS certificate?!" browser boxes).
> So, would y'all mind weighing in to help me decide what I do with my DISCUSS? Do the benefits outweigh the risks? Allowing this potentially allows for DNSSEC signing of things like internal TLDs / internal namespaces, increasing DNSSEC deployment. Am I being overly cautious here? Should users know better than to blindly click OK on things they don't understand?
> I'd really like your advice, preferably before Friday.
> The document: <>
> The balloting: <>
> The thread on my DISCUSS: <>
> W
> [0]: Lest their citizens start wondering why they don't also have cake.
> --
> I don't think the execution is relevant when it was obviously a bad idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.
>    ---maf
> _______________________________________________
> DNSOP mailing list