IETF Logo Mail Archive

Re: DNS and VPN

Michael Richardson <mcr@sandelman.ottawa.on.ca> Mon, 23 March 1998 16:32 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id LAA23560 for ipsec-outgoing; Mon, 23 Mar 1998 11:32:07 -0500 (EST)
Message-Id: <199803231648.LAA00512@morden.sandelman.ottawa.on.ca>
To: vvkumar@lucent.com
CC: ipsec@tis.com
Subject: Re: DNS and VPN
In-reply-to: Your message of "Mon, 23 Mar 1998 10:20:20 EST." <35167DB4.7A82@lucent.com>
Date: Mon, 23 Mar 1998 11:48:55 -0500
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Kumar" == Kumar V Vemuri <vvkumar@lucent.com> writes:
    Kumar> RAS. How does one now resolve DNS queries across sites ?

  The best way is for the IPsec client to include a DNS server
locally, which either
	a) knows which domains to forward to which internal DNS servers

	b) acts a secondary for all the internal DNS servers
	(this answering the queries locally)
	[Bind 8 could transfer just the "STUB" zones, and avoid	having
	everything locally ]

	c) something else

    Kumar> Also, does not Win 95 permit one to have only two choices

  Technology is not limited by what Win95 can do.

    Kumar> for DNS ? Does this restrict the number of tunnels to a
    Kumar> maximum of two ?). I think it is unlikely that the client

  No, since a "domain does not exist" failure from the first does
cause the machine to query the second. Instead, one needs to put
127.0.0.1 in, and run a DNS server locally.

    Kumar>   b. Recently, in the mailing list, there was a reference
    Kumar> to the SKIX (Symmetic Key Infrastructure Architecture) and
    Kumar> X.17 in the context of symmetric manual keying in
    Kumar> IPSec. Could someone point me to the appropriate IETF group
    Kumar> that is working on this ?

  I think this was partially in jest. No IETF WG exists by that name,
but if one did exist, then they might start with the ITU's X.17 standard.

]     Network Security Consulting and Contract Programming      |  SSH IPsec  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |international[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |strong crypto[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQBVAwUBNRaScR4XQavxnHg9AQER8wH+Pqu+eONFZR5vIHD5gUA5miz6CIbTuMGX
fsUq5Rqze3zBomd/MVyLsxh/qmqF4fNQEpTVWkOGO2Z6DB7hBaLskg==
=KIw7
-----END PGP SIGNATURE-----

v2.29.0 | Report a Bug | By Email | System Status