Re: [IPsec] Spencer Dawkins' No Objection on draft-ietf-ipsecme-split-dns-14: (with COMMENT)
Paul Wouters <paul@nohats.ca> Wed, 21 November 2018 05:32 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBE10130F8A; Tue, 20 Nov 2018 21:32:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6KmNiVXVRWzi; Tue, 20 Nov 2018 21:32:14 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3F9E130F3F; Tue, 20 Nov 2018 21:32:11 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 430B621vGkzLDZ; Wed, 21 Nov 2018 06:32:10 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1542778330; bh=5v4qggpEhz8Iv9sWbhT3hp8250J0mHeDnNXfmVBU2ts=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=sK+ZMJGYjmpKNJnS6GBjKuFu723vlpmsyWTCocPBWVOsmSg5xDXG8TXjutAQTACDK Kjipv56RsL4VA04083WUkkOTCnmbfwtymEB991lP8NqjY9JyjhB4+1kF9ADcE1qORB vp9fb9JCrPaTHwRrL2F7ia0XIEt5Ir3N8K/tGCHM=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id RJ-jYIHaHYGj; Wed, 21 Nov 2018 06:32:09 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 21 Nov 2018 06:32:09 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 67E093797AD; Wed, 21 Nov 2018 00:32:08 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 67E093797AD
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 5A37941C3B2E; Wed, 21 Nov 2018 00:32:08 -0500 (EST)
Date: Wed, 21 Nov 2018 00:32:08 -0500
From: Paul Wouters <paul@nohats.ca>
To: Spencer Dawkins <spencerdawkins.ietf@gmail.com>
cc: The IESG <iesg@ietf.org>, ipsec@ietf.org, ipsecme-chairs@ietf.org, draft-ietf-ipsecme-split-dns@ietf.org, david.waltermire@nist.gov
In-Reply-To: <154275031487.29795.6995020474049388117.idtracker@ietfa.amsl.com>
Message-ID: <alpine.LRH.2.21.1811210026410.29140@bofh.nohats.ca>
References: <154275031487.29795.6995020474049388117.idtracker@ietfa.amsl.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/QxbMa0PhYu9Wagq6qBZnW4c08Rk>
Subject: Re: [IPsec] Spencer Dawkins' No Objection on draft-ietf-ipsecme-split-dns-14: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 05:32:18 -0000
On Tue, 20 Nov 2018, Spencer Dawkins wrote:
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Perhaps it would be helpful to give an example of why
>
> A client using these configuration payloads will be able to request
> and receive Split DNS configurations using the INTERNAL_DNS_DOMAIN
> and INTERNAL_DNSSEC_TA configuration attributes. The client device
> can use the internal DNS server(s) for any DNS queries within the
> assigned domains. DNS queries for other domains SHOULD be sent to
> the regular external DNS server.
>
> DNS queries for other domains might not be sent to the regular external DNS
> server? I'm thinking of one, but I'm flat-out guessing.
I think you are right, and we are mixing up INTERNAL_IP4_DNS with
INTERNAL_DNS_DOMAIN.
the idea is that the client can decide to not only use some
authoritative internal servers, but also use some recursive internal
servers. But I think those should be specified in the exiting
INTERNAL_IP4_DNS / INTERNAL_IP6_DNS attributes.
I suggest we change the above to:
A client using these configuration payloads will be able to request
and receive Split DNS configurations using the INTERNAL_DNS_DOMAIN
and INTERNAL_DNSSEC_TA configuration attributes. The client device
can use the internal DNS server(s) for any DNS queries within the
assigned domains. DNS queries for other domains MAY be sent to
an internal recursive DNS server specified in an INTERNAL_IP4_DNS
or INTERNAL_IP6_DNS Configuration Payload but MAY also be resolved
using the client's regular DNS resolving mechanisms outside of the
IPsec connection.
Tommy, let me know what you think about this change?
Paul
- [IPsec] Spencer Dawkins' No Objection on draft-ie… Spencer Dawkins
- Re: [IPsec] Spencer Dawkins' No Objection on draf… Paul Wouters
- Re: [IPsec] Spencer Dawkins' No Objection on draf… Paul Wouters
- Re: [IPsec] Spencer Dawkins' No Objection on draf… Tero Kivinen
- Re: [IPsec] Spencer Dawkins' No Objection on draf… Paul Wouters
- Re: [IPsec] Spencer Dawkins' No Objection on draf… Tero Kivinen