Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-split-dns-14: (with DISCUSS and COMMENT)

Paul Wouters <paul@nohats.ca> Wed, 21 November 2018 15:17 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E8451277CC; Wed, 21 Nov 2018 07:17:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kI7V9cRZ6zRd; Wed, 21 Nov 2018 07:17:17 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4270B126BED; Wed, 21 Nov 2018 07:17:17 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 430Qxt2y1kzLFt; Wed, 21 Nov 2018 16:10:58 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1542813058; bh=NhQtEHDLbYDs+EVgS3bwmY3V54nSKi8S1V5UoK0gxrY=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=kTLu/KtdUlXjZT8dt28KZ/OZn40xiJkb60vYFf8rsonQeJV0OfNEKzl3GttXxIxqX QLPEQwcn9opgeOOYn/qON3bn4x7ilsV8pX8MnZ81EiJ2ZwPXVAiE3mJA1Ay4RXR+1u yzhYsRNK++8axrYh1LJfXktJft+XsJFqJtyYeTGM=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id DhmrYZPrkE1g; Wed, 21 Nov 2018 16:10:50 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 21 Nov 2018 16:10:49 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 9397D49ED70; Wed, 21 Nov 2018 10:10:48 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 9397D49ED70
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 87D9641C3B26; Wed, 21 Nov 2018 10:10:48 -0500 (EST)
Date: Wed, 21 Nov 2018 10:10:48 -0500 (EST)
From: Paul Wouters <paul@nohats.ca>
To: Warren Kumari <warren@kumari.net>
cc: ipsec@ietf.org, ipsecme-chairs@ietf.org, david.waltermire@nist.gov, The IESG <iesg@ietf.org>, draft-ietf-ipsecme-split-dns@ietf.org
In-Reply-To: <alpine.LRH.2.21.1811210006170.29140@bofh.nohats.ca>
Message-ID: <alpine.LRH.2.21.1811211008240.24767@bofh.nohats.ca>
References: <154275299932.29937.5149382512933072864.idtracker@ietfa.amsl.com> <alpine.LRH.2.21.1811210006170.29140@bofh.nohats.ca>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8BIT
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/MUThYPbUQIlunn1TEEfmm5S7QDU>
Subject: Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-split-dns-14: (with DISCUSS and COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 15:17:20 -0000

On Wed, 21 Nov 2018, Paul Wouters wrote:

>>  I’m also not quite sure how this interacts with delegations. E.g:
>>
>>  example.com   600 IN NS ns01.internal.example
>>  And then INTERNAL_DNS_DOMAIN(internal.example) — if the client runs a
>>  local
>>  recursive, does it need to send the query to ns01 though the VPN or not?

I added some text that clarifies dependencies:

     Deployments that configure INTERNAL_DNS_DOMAIN domains should pay
    close attention to their use of indirect reference RRtypes in their
    internal-only domain names.  Examples of such RRtypes are CNAME,
    DNAME, MX or SRV records.  For example, if the MX record for
    "internal.example.com" points to "mx.internal.example.net", then both
    "internal.example.com" and "internal.example.net" should be sent
    using an INTERNAL_DNS_DOMAIN Configuration Payload.

Paul