IETF Logo Mail Archive

Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-split-dns-14: (with DISCUSS and COMMENT)

Warren Kumari <warren@kumari.net> Wed, 21 November 2018 17:58 UTC

Return-Path: <warren@kumari.net>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2EBC130F29 for <ipsec@ietfa.amsl.com>; Wed, 21 Nov 2018 09:58:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.359
X-Spam-Level:
X-Spam-Status: No, score=-3.359 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W_wiXEvydnrD for <ipsec@ietfa.amsl.com>; Wed, 21 Nov 2018 09:58:38 -0800 (PST)
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36AE5130E69 for <ipsec@ietf.org>; Wed, 21 Nov 2018 09:58:38 -0800 (PST)
Received: by mail-wm1-x330.google.com with SMTP id c126so6653254wmh.0 for <ipsec@ietf.org>; Wed, 21 Nov 2018 09:58:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=S+vHzL+axkFXm6xp69G0kh3cYsvbHG2zAkh/ccjqW3o=; b=cn1r10v70jUPhmZzA1c1C4TOBvTd6svvf5gViObLV9yOYWCh9PEUWVob2nlHfa1ZUj MJPy3FH1CxvUqE/KMAjaKJEXysObCehW9nPAResGpH7bszC6/c+T4QI32NNuV0+EH433 ciQbJa5rCAw2OwRbmgo9hmabS5boc7titDbuWlFxzw1YQqHsQO2UFhnAUfj6DLn/O7VY uKiBZu2+BLhbeBJC8QT6+pu4oI4Q0b75pgN8Odt797DMXWQSNjk8vmTPaAK6rdUFVwfV 7rum9EWoQMaZecGvOR7yertffv+Y+cKyzEC30bA36Q78BEHCF8d6vGQnNe9Mfhwip1sp AGOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=S+vHzL+axkFXm6xp69G0kh3cYsvbHG2zAkh/ccjqW3o=; b=NLqm6E3ZA0Lq4tbJevu86/WdUhvdfzHQDf7yDPznrKNk8e6L2ZZfNfTaZl5h0fle+q CfY3fjBTBDNH0x+yIlugKe943hYWXFrZNHNJX6YuKodgVInCmmjB5LOU5aPXfWNTmX9T gCyhtfT5h/V6DROj0F78hq064j3/DGCwNKK6yzY6ZnzdLDDlZFrEF+6yDSwVORXT7dDH DfoTASul3MbTxlhCbHue+t2LgbYBdnkus0/73DfR4Pon5H+6O8SvxVHR7CXEyBS76Isx Z4iqs8dXb3km3H7JDRaiCXTHGjdVvSfzIxqUlMHfhGVxfwSqgrf2DbtRAcXbPuMGw6bW X8eg==
X-Gm-Message-State: AA+aEWZ/+nLmxfkSJwURYT9KMdEiaXSV+TE20WHxgMa93iyzpAUVwct8 E0dQbpZm5BG/uF1ZK47mlu8CZ6F/EPlbgh7pAjZRRTfZbXs=
X-Google-Smtp-Source: AFSGD/X/jVPCIYUt6oZYo0UjAR6BhDkRoEsp39Ox5+P/IA1M3UffpHkCxMfXQt7hdkNQDCjJumX0HmY/nZ/msXyx5KU=
X-Received: by 2002:a1c:184:: with SMTP id 126mr3011086wmb.24.1542823116362; Wed, 21 Nov 2018 09:58:36 -0800 (PST)
MIME-Version: 1.0
References: <154275299932.29937.5149382512933072864.idtracker@ietfa.amsl.com> <alpine.LRH.2.21.1811210006170.29140@bofh.nohats.ca> <CAHw9_iKyBpOa1ktYvDDvuHnN+nLN7GnP49PwdT6-FWqNzDrUgg@mail.gmail.com> <alpine.LRH.2.21.1811211012160.24767@bofh.nohats.ca> <CAHw9_i+j92j4-DZHrL21CNkUFdheOO6z5+wfsG8Lrq1WorwnCw@mail.gmail.com> <3734030E-4394-4C1A-9FE7-493FF5EC7FED@nohats.ca> <CAHw9_iLv=f7Z0m6Fa_XfcPF26ia-NTSoaCqOJLN3E1Y1jYu=hg@mail.gmail.com> <2010C828-FE1A-4500-88A7-F3A809440464@nohats.ca>
In-Reply-To: <2010C828-FE1A-4500-88A7-F3A809440464@nohats.ca>
From: Warren Kumari <warren@kumari.net>
Date: Wed, 21 Nov 2018 12:57:59 -0500
Message-ID: <CAHw9_i+0XCyrA6VD+Hgeao=03nCCnqfa4HxP1A3koJFBP-aAdg@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: The IESG <iesg@ietf.org>, ipsec@ietf.org, ipsecme-chairs@ietf.org, draft-ietf-ipsecme-split-dns@ietf.org, "Waltermire, David A." <david.waltermire@nist.gov>
Content-Type: multipart/alternative; boundary="000000000000cd6cd7057b307f08"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/S2dDWg2YdTFHVtNjKngFtupU02Y>
Subject: Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-split-dns-14: (with DISCUSS and COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 17:58:51 -0000

On Wed, Nov 21, 2018 at 12:55 PM Paul Wouters <paul@nohats.ca> wrote:

> On Nov 22, 2018, at 00:03, Warren Kumari <warren@kumari.net> wrote:
>
>
>
> I am sympathetic to the general use case, but really don't want this to
> open scary security holes / decrease "trust" in DNSSEC.
>
>
> By not allowing VPNs to use an enterprise internal dnssec trust anchor,
> you also erode trust in dnssec, or end up not using dnssec internally at
> all when connected via VPN.
>
>
True.


> I suggest you wait for me to push -15 before asking dnsop. It should be
> out today or tomorrow and contains quite some changes related to this topic.
>

Okey dokey, thank you.
Please let me know LOUDLY when you have a new version ready (I don't want
it to get lost in the post IETF103 / US Thanksgiving holiday / similar
shuffle).

W



>
> Paul
>
>

-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf

v2.23.0 | Report a Bug | By Email