[IPsec] Terry Manderson's No Objection on draft-ietf-ipsecme-split-dns-14: (with COMMENT)

Terry Manderson <terry.manderson@icann.org> Wed, 21 November 2018 03:59 UTC

Return-Path: <terry.manderson@icann.org>
X-Original-To: ipsec@ietf.org
Delivered-To: ipsec@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id CF300130E79; Tue, 20 Nov 2018 19:59:50 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Terry Manderson <terry.manderson@icann.org>
To: "The IESG" <iesg@ietf.org>
Cc: draft-ietf-ipsecme-split-dns@ietf.org, David Waltermire <david.waltermire@nist.gov>, ipsecme-chairs@ietf.org, david.waltermire@nist.gov, ipsec@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.89.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <154277279083.29769.12251386687781208754.idtracker@ietfa.amsl.com>
Date: Tue, 20 Nov 2018 19:59:50 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/GnAh59iYyfnWySbRM629N3sdGKI>
Subject: [IPsec] Terry Manderson's No Objection on draft-ietf-ipsecme-split-dns-14: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 03:59:51 -0000

Terry Manderson has entered the following ballot position for
draft-ietf-ipsecme-split-dns-14: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:


Thanks for the time and effort invested in this document. I'm also very
interested to see the resolution to Warren's DISCUSS regarding
ipsecme-split-dns being used as an easy tool to over-claim entire sections of
the DNS hierarchy. Perhaps specifying that the DOMAIN and TA sent to the client
MUST be in the administrative control of the VPN provider (I'm not sure I read
that in the draft) might be one way out, yet I wonder if this is a case of
simply having to trust that the VPN provider does the right thing (as cold as
that leaves me) regardless of the words in the document.