IETF Logo Mail Archive

Re: [IPsec] draft-pauly-ipsecme-split-dns

Paul Wouters <paul@nohats.ca> Tue, 19 June 2018 19:07 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12C9E130FA2; Tue, 19 Jun 2018 12:07:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p076L5F1QtZB; Tue, 19 Jun 2018 12:07:07 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 512DB130E20; Tue, 19 Jun 2018 12:07:05 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 419HWq6Wg8zF8K; Tue, 19 Jun 2018 21:07:03 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1529435223; bh=gVHpgRjPHAXhIvNoXDqUlWd7dvwHIF1reiV0Rc9873E=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=BQjfY511vAh1w//jmDPmClovc2XnpZ3BRCtp2FbvAk9NhTU+l3tcknsZd5aKNoayP e9jdEj7bP9Tf1jMBmp4lds2T9606gXcBN80b15iU+BcuWDGGUES1RRsLOV9jzdGUdl hWz1GPXZysQSzOrpY0Og0bDHt/iweMTEcOXspzrE=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id jModMsT8NwL2; Tue, 19 Jun 2018 21:07:03 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 19 Jun 2018 21:07:03 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 32F834FB769; Tue, 19 Jun 2018 15:07:02 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 32F834FB769
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 29E6C4070C0D; Tue, 19 Jun 2018 15:07:02 -0400 (EDT)
Date: Tue, 19 Jun 2018 15:07:02 -0400
From: Paul Wouters <paul@nohats.ca>
To: Nico Williams <nico@cryptonector.com>
cc: Eric Rescorla <ekr@rtfm.com>, IPsecME WG <ipsec@ietf.org>, "draft-ietf-ipsecme-split-dns.all@ietf.org" <draft-ietf-ipsecme-split-dns.all@ietf.org>, "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>, Tero Kivinen <kivinen@iki.fi>
In-Reply-To: <20180619183459.GC4218@localhost>
Message-ID: <alpine.LRH.2.21.1806191502350.21058@bofh.nohats.ca>
References: <alpine.LRH.2.21.1806181637240.22748@bofh.nohats.ca> <CABcZeBPZFswnn6zoK6h-Oiy8P1o5u-BVVExQSO48fxGWy1cwXQ@mail.gmail.com> <alpine.LRH.2.21.1806181644520.22748@bofh.nohats.ca> <CABcZeBPf6TEh3JtYwT7D6+90y40W7y_=Hx03xNzLxEuQM_YsLQ@mail.gmail.com> <alpine.LRH.2.21.1806181702230.13143@bofh.nohats.ca> <CABcZeBOa8qMhDyCMzPTAtUBZTYPGehrhPrr6h4cVCjP4QZ1+Ew@mail.gmail.com> <alpine.LRH.2.21.1806191109300.16269@bofh.nohats.ca> <CABcZeBPFw1iuHXV+_sEuMaRCYRSk1nH_FujeimOb=ViEAtvkVA@mail.gmail.com> <alpine.LRH.2.21.1806191159310.26059@bofh.nohats.ca> <CABcZeBN2HwiwVzAUjyZU+Q+toFM2jOKHD9xmKwM1V5qhUoULEQ@mail.gmail.com> <20180619183459.GC4218@localhost>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/vq_y96g3YZ1aPpGVqEsO8L975CY>
Subject: Re: [IPsec] draft-pauly-ipsecme-split-dns
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2018 19:07:12 -0000

On Tue, 19 Jun 2018, Nico Williams wrote:

> The I-D should say that clients MUST allow local configuration of what
> domains to accept trust anchors for, and SHOULD allow local policy to
> list . as a domain for which to accept trust anchors.

Just one note. This draft is mean ONLY for use with split-tunnel VPNs.
If you are sending all traffic over the VPN, then INTERNAL_DNS_DOMAIN
and INTERNAL_DNSSEC_TA are irrelevant and MUST be ignored, because you
are no longer talking about a public vs private view. You are just
changing the entry point to the public view. Was that not clear from
the existing text?

Adding an option for "." as override trust anchor seems unneccessary
for any non-malicious use case I can think of. Can you give an example
of a valid use case?

Paul

v2.23.0 | Report a Bug | By Email