Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-split-dns-14: (with DISCUSS and COMMENT)

Paul Wouters <paul@nohats.ca> Wed, 21 November 2018 17:55 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF246128CE4; Wed, 21 Nov 2018 09:55:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.098
X-Spam-Level:
X-Spam-Status: No, score=-0.098 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BPPqLiUZdEcS; Wed, 21 Nov 2018 09:55:50 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C7E3128AFB; Wed, 21 Nov 2018 09:55:50 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 430Vc16ncNzLMc; Wed, 21 Nov 2018 18:55:45 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1542822945; bh=xJcW6gIW1XALG2tAJ6WemV2XU95mxCm7savLKHvwFNg=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=WQOjPJ6PZB58n4K9e9FGc1bMa6+GSnQ5Kfq4xlXRFm51YMwK2nQ6g8CFovzHahKHN gLtl2nml1X1V1usOVrXY/dBu6sCdA4CHICHry9Z5Ss0SftqArl8CWpnUJpWguHD474 qbqD5jF692HtJ3TD1GifJEXRH87VnDu25in1DlAs=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 4SrseJHKWkjF; Wed, 21 Nov 2018 18:55:41 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 21 Nov 2018 18:55:40 +0100 (CET)
Received: from [192.168.1.10] (node-11u3.pool-118-173.dynamic.totbb.net [118.173.191.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id EE4C849ED70; Wed, 21 Nov 2018 12:55:38 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca EE4C849ED70
Content-Type: multipart/alternative; boundary="Apple-Mail-1882E732-36B5-41D2-AF1F-37484AB459CE"
Mime-Version: 1.0 (1.0)
From: Paul Wouters <paul@nohats.ca>
X-Mailer: iPhone Mail (16A405)
In-Reply-To: <CAHw9_iLv=f7Z0m6Fa_XfcPF26ia-NTSoaCqOJLN3E1Y1jYu=hg@mail.gmail.com>
Date: Thu, 22 Nov 2018 00:55:34 +0700
Cc: The IESG <iesg@ietf.org>, ipsec@ietf.org, ipsecme-chairs@ietf.org, draft-ietf-ipsecme-split-dns@ietf.org, "Waltermire, David A." <david.waltermire@nist.gov>
Content-Transfer-Encoding: 7bit
Message-Id: <2010C828-FE1A-4500-88A7-F3A809440464@nohats.ca>
References: <154275299932.29937.5149382512933072864.idtracker@ietfa.amsl.com> <alpine.LRH.2.21.1811210006170.29140@bofh.nohats.ca> <CAHw9_iKyBpOa1ktYvDDvuHnN+nLN7GnP49PwdT6-FWqNzDrUgg@mail.gmail.com> <alpine.LRH.2.21.1811211012160.24767@bofh.nohats.ca> <CAHw9_i+j92j4-DZHrL21CNkUFdheOO6z5+wfsG8Lrq1WorwnCw@mail.gmail.com> <3734030E-4394-4C1A-9FE7-493FF5EC7FED@nohats.ca> <CAHw9_iLv=f7Z0m6Fa_XfcPF26ia-NTSoaCqOJLN3E1Y1jYu=hg@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/mQxrv97dVjYWIygN1wkwdXkcQP8>
Subject: Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-split-dns-14: (with DISCUSS and COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 17:55:53 -0000

On Nov 22, 2018, at 00:03, Warren Kumari <warren@kumari.net> wrote:
> 
> 
> 
> I am sympathetic to the general use case, but really don't want this to open scary security holes / decrease "trust" in DNSSEC.

By not allowing VPNs to use an enterprise internal dnssec trust anchor, you also erode trust in dnssec, or end up not using dnssec internally at all when connected via VPN.

I suggest you wait for me to push -15 before asking dnsop. It should be out today or tomorrow and contains quite some changes related to this topic.

Paul