Re: [IPsec] Spencer Dawkins' No Objection on draft-ietf-ipsecme-split-dns-14: (with COMMENT)
Paul Wouters <paul@nohats.ca> Wed, 21 November 2018 14:49 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35E1B127A8E; Wed, 21 Nov 2018 06:49:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Eyl_qgWnBwmc; Wed, 21 Nov 2018 06:49:53 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4A72130F91; Wed, 21 Nov 2018 06:48:58 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 430QSR2tyCzLFt; Wed, 21 Nov 2018 15:48:55 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1542811735; bh=Ca2HeUbjoNnAyTuCd3vmY97E1Buhei8NIXpBsarJiqQ=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=DcD8B+VMo+vA5AQyTuTlLaJl3ge/4qtq0f9FTUcr+2g8+FszKGM+B5YMeDfBCJakl HK37pPSo2LvMp1PHqrHIu1kZvLWXJl7V7HB57DCX7NZf8CBWuNYuP4T7coYOVZbXjc wTA/6TA/zHr0N0dMlMxvkxzjodmPjTDO3G3RHs3Y=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id PLzVvVDXc95R; Wed, 21 Nov 2018 15:48:49 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 21 Nov 2018 15:48:48 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 4A55849ED70; Wed, 21 Nov 2018 09:48:47 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 4A55849ED70
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 427F741C3B26; Wed, 21 Nov 2018 09:48:47 -0500 (EST)
Date: Wed, 21 Nov 2018 09:48:47 -0500
From: Paul Wouters <paul@nohats.ca>
To: Spencer Dawkins <spencerdawkins.ietf@gmail.com>
cc: ipsec@ietf.org, ipsecme-chairs@ietf.org, david.waltermire@nist.gov, The IESG <iesg@ietf.org>, draft-ietf-ipsecme-split-dns@ietf.org
In-Reply-To: <alpine.LRH.2.21.1811210026410.29140@bofh.nohats.ca>
Message-ID: <alpine.LRH.2.21.1811210944410.24767@bofh.nohats.ca>
References: <154275031487.29795.6995020474049388117.idtracker@ietfa.amsl.com> <alpine.LRH.2.21.1811210026410.29140@bofh.nohats.ca>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/TgY1bB_uJpfWIciQFXz1YYj-gEo>
Subject: Re: [IPsec] Spencer Dawkins' No Objection on draft-ietf-ipsecme-split-dns-14: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 14:49:57 -0000
On Wed, 21 Nov 2018, Paul Wouters wrote:
> I think you are right, and we are mixing up INTERNAL_IP4_DNS with
> INTERNAL_DNS_DOMAIN.
>
> the idea is that the client can decide to not only use some
> authoritative internal servers, but also use some recursive internal
> servers. But I think those should be specified in the exiting
> INTERNAL_IP4_DNS / INTERNAL_IP6_DNS attributes.
Actually, that does not work. The current specification does not allow
a INTERNAL_IP4_DNS or INTERNAL_IP6_DNS to be associated with only some
(or none) of the INTERNAL_DNS_DOMAINS.
> I suggest we change the above to:
>
> A client using these configuration payloads will be able to request
> and receive Split DNS configurations using the INTERNAL_DNS_DOMAIN
> and INTERNAL_DNSSEC_TA configuration attributes. The client device
> can use the internal DNS server(s) for any DNS queries within the
> assigned domains. DNS queries for other domains MAY be sent to
> an internal recursive DNS server specified in an INTERNAL_IP4_DNS
> or INTERNAL_IP6_DNS Configuration Payload but MAY also be resolved
> using the client's regular DNS resolving mechanisms outside of the
> IPsec connection.
So I suggest instead:
A client using these configuration payloads will be able to request
and receive Split DNS configurations using the INTERNAL_DNS_DOMAIN
and INTERNAL_DNSSEC_TA configuration attributes. These attributes
MUST be accompanied by one or more INTERNAL_IP4_DNS or
INTERNAL_IP6_DNS configuration attributes. The client device can
then use the internal DNS server(s) for any DNS queries within the
assigned domains. DNS queries for other domains MUST be sent to the
regular DNS service of the client.
Paul
- [IPsec] Spencer Dawkins' No Objection on draft-ie… Spencer Dawkins
- Re: [IPsec] Spencer Dawkins' No Objection on draf… Paul Wouters
- Re: [IPsec] Spencer Dawkins' No Objection on draf… Paul Wouters
- Re: [IPsec] Spencer Dawkins' No Objection on draf… Tero Kivinen
- Re: [IPsec] Spencer Dawkins' No Objection on draf… Paul Wouters
- Re: [IPsec] Spencer Dawkins' No Objection on draf… Tero Kivinen