Re: [IPsec] Spencer Dawkins' No Objection on draft-ietf-ipsecme-split-dns-14: (with COMMENT)
Tero Kivinen <kivinen@iki.fi> Sat, 24 November 2018 21:15 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCFD3130FB8; Sat, 24 Nov 2018 13:15:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.42
X-Spam-Level:
X-Spam-Status: No, score=-3.42 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eIulm-zgdnwT; Sat, 24 Nov 2018 13:15:53 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 972E0130DF5; Sat, 24 Nov 2018 13:15:51 -0800 (PST)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id wAOLFkxs012548 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 24 Nov 2018 23:15:46 +0200 (EET)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id wAOLFkut008736; Sat, 24 Nov 2018 23:15:46 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <23545.49026.588213.633610@fireball.acr.fi>
Date: Sat, 24 Nov 2018 23:15:46 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Wouters <paul@nohats.ca>
Cc: Spencer Dawkins <spencerdawkins.ietf@gmail.com>, ipsec@ietf.org, ipsecme-chairs@ietf.org, draft-ietf-ipsecme-split-dns@ietf.org, The IESG <iesg@ietf.org>
In-Reply-To: <alpine.LRH.2.21.1811210944410.24767@bofh.nohats.ca>
References: <154275031487.29795.6995020474049388117.idtracker@ietfa.amsl.com> <alpine.LRH.2.21.1811210026410.29140@bofh.nohats.ca> <alpine.LRH.2.21.1811210944410.24767@bofh.nohats.ca>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 11 min
X-Total-Time: 11 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/x5nv3Am6DnzEKCEtrJlCAmDadZ0>
Subject: Re: [IPsec] Spencer Dawkins' No Objection on draft-ietf-ipsecme-split-dns-14: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Nov 2018 21:15:56 -0000
Paul Wouters writes: > So I suggest instead: > > A client using these configuration payloads will be able to request > and receive Split DNS configurations using the INTERNAL_DNS_DOMAIN > and INTERNAL_DNSSEC_TA configuration attributes. These attributes > MUST be accompanied by one or more INTERNAL_IP4_DNS or > INTERNAL_IP6_DNS configuration attributes. The client device can > then use the internal DNS server(s) for any DNS queries within the > assigned domains. DNS queries for other domains MUST be sent to the > regular DNS service of the client. So the meaning of the INTERNAL_IP*_DNS changs meaning depending whether you have INTERNAL_DNS_DOMAIN or not. You might want to be bit more text explaining that in this paragraph. Currently if server send INTERNAL_IP*_DNS (and do not include INTERNAL_DNS_DOMAIN), then clients usually send all dns queries to that server. Typically enterprice users trust their own DNS servers more than the DNS server provided by the hotel... After this change client must have some other DNS server also configured, and MUST use them for other domains. Of course the general idea for the Split-DNS is that we do not send all dns traffic to server, only those internal domains, but one main use for it is also to provide TAs for those internal domains so DANE etc can work for internal services. Anyways I think changing that to say "SHOULD be sent" could work better, i.e., depending on the policy clients could either send requests to normal DNS server or to the server provided in IKE. Note, that the original configuration payload was supposed to provide similar information than what DHCP does, so client does not need to have anything preconfigured, but can get the whole network configuration from the server. This included addresses, dns servers, etc, and even DHCP server address that it can use to get attributes not included in the configuration payload. Usually the configuration parameters received from configuration payload replaced the parameters they had before. -- kivinen@iki.fi
- [IPsec] Spencer Dawkins' No Objection on draft-ie… Spencer Dawkins
- Re: [IPsec] Spencer Dawkins' No Objection on draf… Paul Wouters
- Re: [IPsec] Spencer Dawkins' No Objection on draf… Paul Wouters
- Re: [IPsec] Spencer Dawkins' No Objection on draf… Tero Kivinen
- Re: [IPsec] Spencer Dawkins' No Objection on draf… Paul Wouters
- Re: [IPsec] Spencer Dawkins' No Objection on draf… Tero Kivinen