Re: [mif] draft-ietf-mif-current-practices-00

[Dave Thaler <dthaler@microsoft.com>]

> -----Original Message-----
> From: teemu.savolainen@nokia.com [mailto:teemu.savolainen@nokia.com]
> Sent: Monday, April 12, 2010 1:53 PM
> To: g_e_montenegro@yahoo.com; dwing@cisco.com; denghui02@gmail.com; Dave
> Thaler
> Cc: mif@ietf.org
> Subject: RE: [mif] draft-ietf-mif-current-practices-00
> 
> Hi,
> 
> Why do you think #4 is not mif-specific? What possible use NRPT has for single
> interfaced host? Or is the idea such that a host could have single interface,
> but just use different DNS server for queries matching NRPT?

Right.  The NRPT is similar to a configured cache of NS records.
It's used to solve the problem of have access to multiple disjoint namespaces
(like corporate DNS and public DNS).  Private names aren't resolvable in
the public DNS, so you have to know what DNS server to ask.

> ....hmm...
> Do you consider a host using DirectAccess single or multi-interfaced? From my
> quick reading of the DirectAccess feature, it sounds to be somewhere in
> between - not obviously multi-interface like the VPN-case is, but not quite
> single-interfaced either.

Right it could be either one.

> 
> Is there a way to configure NRPT policies remotely via some protocol?

Yes, it's designed to be configured by an enterprise administrator of the
organization that manages the host.  So there's an authenticated, 
configuration distribution protocol for ActiveDirectory-domain-joined hosts.

-Dave

> 
> Thanks for explanation,
> 
> Teemu
> 
> > -----Original Message-----
> > From: mif-bounces@ietf.org [mailto:mif-bounces@ietf.org] On Behalf Of
> > ext gabriel montenegro
> > Sent: 08. huhtikuuta 2010 23:17
> > To: Dan Wing; Hui Deng; Dave Thaler
> > Cc: mif@ietf.org
> > Subject: Re: [mif] draft-ietf-mif-current-practices-00
> >
> > In addition to those three usages of "suffix":
> >
> > 1. Domain Search list suffix
> > 2. For interface-specific suffix list
> > 3. Suffix to control Dynamic DNS Updates
> >
> > There is yet another usage in Windows introduced in windows 7 and its
> > server counterpart, Windows Server 2008 R2:
> >
> > 4. Suffix in the NRPT [1] to aid in identifying a Namespace that
> > requires special handling,
> > as used for DirectAccess [2]. This is not MIF-specific either.
> >
> > Only #2 is MIF-specific (and this should be called out), but it makes
> > sense to clarify the
> > other uses of "suffix" otherwise #2 won't be clear.
> >
> > [1] NRPT: See http://technet.microsoft.com/en-us/magazine/ff394369.aspx
> > [2] DirectAcess: http://technet.microsoft.com/en-
> > us/magazine/2009.05.cableguy.aspx
> >
> > Gabriel
> >
> > ----- Original Message ----
> > > From: Dan Wing <dwing@cisco.com>
> > > To: Hui Deng <denghui02@gmail.com>; Dave Thaler
> > <dthaler@microsoft.com>
> > > Cc: mif@ietf.org; Gabriel Montenegro <gmonte@microsoft.com>
> > > Sent: Thu, April 8, 2010 7:22:23 AM
> > > Subject: Re: [mif] draft-ietf-mif-current-practices-00
> > >
> > >
> >
> > > -----Original Message-----
> > > From: Hui Deng [mailto:> ymailto="mailto:denghui02@gmail.com"
> > > href="mailto:denghui02@gmail.com">denghui02@gmail.com]
> > > Sent:
> > > Wednesday, April 07, 2010 7:29 PM
> > > To: Dave Thaler
> > > Cc: Dan Wing;
> > > Gabriel Montenegro; > href="mailto:mif@ietf.org">mif@ietf.org
> > > Subject: Re: [mif]
> > > draft-ietf-mif-current-practices-00
> > >
> > > 2nd purpose has been
> > > documented in the current practice draft,
> > > whether 1st and 3rd purpose
> > > need to be documented as well? it may not
> > > directly related to
> > > MIF?
> >
> > Some operating systems -- e.g., most flavors of Unix -- do not
> > > support the
> > ability for sending different DNS queries to different DNS
> > > servers.
> >
> > It would be helpful if the draft more clearly described the
> > > functionality.
> > Someone unfamiliar with the Windows functionality, reading the
> > > draft, assumes
> > it is merely talking about the 'domain search list' -- because
> > > that is what
> > they are familiar with.
> >
> > I don't care how the draft
> > > is fixed to make it clearer.  I propose describing
> > the 2 (and, as Dave
> > > pointed out, 3) functions.  If you want to adjust the
> > document to
> > > instead talk about the per-interface stuff, that's great -- my
> > point is that
> > > right now it is insufficiently clear in explaining it.
> >
> > -d
> >
> > >
> > > -Hui
> > >
> > > 2010/4/7 Dave Thaler <> ymailto="mailto:dthaler@microsoft.com"
> > > href="mailto:dthaler@microsoft.com">dthaler@microsoft.com>:
> > >
> > > >> -----Original Message-----
> > > >> From: Dan Wing [mailto:> ymailto="mailto:dwing@cisco.com"
> > > href="mailto:dwing@cisco.com">dwing@cisco.com]
> > > >> Sent:
> > > Tuesday, April 06, 2010 11:52 AM
> > > >> To: Dave Thaler; 'Hui Deng';
> > > Gabriel Montenegro
> > > >> Cc: > href="mailto:mif@ietf.org">mif@ietf.org
> > > >> Subject: RE: [mif]
> > > draft-ietf-mif-current-practices-00
> > > >>
> > > >>
> > >
> > > >>
> > > >> > -----Original Message-----
> > > >> >
> > > From: Dave Thaler [mailto:>
> > href="mailto:dthaler@microsoft.com">dthaler@microsoft.com]
> > > >>
> > > > Sent: Tuesday, April 06, 2010 10:06 AM
> > > >> > To: Hui Deng;
> > > Dan Wing; Gabriel Montenegro
> > > >> > Cc: > ymailto="mailto:mif@ietf.org"
> > > href="mailto:mif@ietf.org">mif@ietf.org
> > > >> > Subject: RE:
> > > [mif] draft-ietf-mif-current-practices-00
> > > >> >
> > > >>
> > > > Hui is correct, Windows has per-interface DNS server lists
> > > >>
> > > configured.
> > > >> >
> > > >> > It then uses a host-wide
> > > "effective" server list for an
> > > actual query,
> > > >> >
> > > where the effective server list may be different for
> > > different
> > > names.
> > > >> >
> > > >> > On Windows the per-interface
> > > suffix is actually termed the
> > > >> > "connection-specific DNS
> > > suffix" to distinguish it from the
> > > >> > "primary DNS suffix" of
> > > the machine.  I think that's why
> > > >> > "interface-specific" was
> > > repeated in the first bullet.
> > > >>
> > > >>
> > >
> > > >>
> > > >> In draft-montenegro-mif-multihoming, there are two
> > >
> > > purposes and terms
> > > >> that
> > > >> seem to be
> > > intermingled using the term "DNS suffix".
> > > >>
> > > >> One
> > > purpose is the suffix for non-FQDN names, like
> > > "payroll" or
> > > "mail",
> > > >> which will have a suffix added to them (e.g., > target="_blank"
> > href="http://example.com">example.com).
> > > >
> > >
> > > > That's what windows calls the "DNS Suffix Search List" (see the
> > >
> > > > sample output I sent previously below).  It's called the
> > > >
> > > "domain search list" in other places (like RFC 3397), or just
> > > >
> > > "search list" (RFC 1123).
> > > >
> > > >> The
> > > >>
> > > other purpose is deciding which DNS server will be be sent
> > > a query
> > > for
> > > >> a certain FQDN (e.g., queries for *.>
> > href="http://example.net">example.net go to one
> > > DNS server
> > >
> > > >> and queries for *.example.com go to a different DNS server).
> > >
> > > >
> > > > Another purpose is deciding which DNS server will receive a
> > > dynamic
> > > > update for a name with a certain suffix (e.g., Windows
> > >
> > > supports dynamic
> > > > updates for the primary DNS name, and
> > > optionally also the
> > > connection-
> > > > specific DNS name of the
> > > machine).
> > > >
> > > >>
> > > >>
> > > >> In
> > > draft-ietf-mif-current-practices-00, which is the WG document
> > > >>
> > > that seems to have boiled down draft-montenegro-mif-multihoming,
> > >
> > > >> but draft-ietf-mif-current-practices-00 also does not clearly
> > >
> > > >> separate the two purposes.
> > > >
> > > > Yep
> > >
> > > >
> > > > -Dave
> > > >>
> > > >> -d
> > >
> > > >>
> > > >>
> > > >> > Example on Windows, extracted
> > > from "ipconfig /all" output:
> > > >> >
> > > >> > Windows
> > > IP Configuration
> > > >> >
> > > >> >    Host Name . . .
> > > . . . . . . . . . : dthaler-win7
> > > >> >    Primary Dns Suffix  .
> > > . . . . . . : >
> > href="http://ntdev.corp.microsoft.com">ntdev.corp.microsoft.com
> > >
> > > >> >
> > >  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > >>
> > > >    Node Type . . . . . . . . . . . . : Hybrid
> > > >> >    IP
> > > Routing Enabled. . . . . . . . : No
> > > >> >    WINS Proxy Enabled.
> > > . . . . . . . : No
> > > >> >    DNS Suffix Search List. . . . . . :
> > > ntdev.corp.microsoft.com
> > > >> >
> > >      >
> > href="http://redmond.corp.microsoft.com">redmond.corp.microsoft.com
> > >
> > > >> >                                        >
> > href="http://ntdev.microsoft.com">ntdev.microsoft.com
> > > >> >
> > >                                        >
> > href="http://dns.corp.microsoft.com">dns.corp.microsoft.com
> > > >>
> > > >    System Quarantine State . . . . . : Not Restricted
> > > >>
> > > >
> > > >> > Wireless LAN adapter Wireless Network
> > > Connection:
> > > >> >
> > > >> >    Connection-specific
> > > DNS Suffix  . : >
> > href="http://hsd1.wa.comcast.net">hsd1.wa.comcast.net.
> > > >> >
> > >    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > >>
> > > >    Description . . . . . . . . . . . : Intel(R) Wireless WiFi
> > >
> > > >> > Link 4965AGN
> > > >> >    Physical Address. . . . . .
> > > . . . : 00-1D-E0-34-4F-6F
> > > >> >    DHCP Enabled. . . . . . . . .
> > > . . : Yes
> > > >> >    Autoconfiguration Enabled . . . . :
> > > Yes
> > > >> >    Link-local IPv6 Address . . . . . :
> > >
> > > >> > fe80::4853:4753:9d8d:3b45%13(Preferred)
> > > >> >
> > >  IPv4 Address. . . . . . . . . . . : 192.168.0.195(Preferred)
> > > >>
> > > >    Subnet Mask . . . . . . . . . . . : 255.255.255.0
> > > >> >
> > >    Lease Obtained. . . . . . . . . . : Monday, April 05, 2010
> > > >>
> > > > 10:19:02 PM
> > > >> >    Lease Expires . . . . . . . . . . :
> > > Tuesday, April 06,
> > > >> > 2010 10:19:02 PM
> > > >> >
> > >    Default Gateway . . . . . . . . . : 192.168.0.1
> > > >> >    DHCP
> > > Server . . . . . . . . . . . : 192.168.0.1
> > > >> >    DHCPv6 IAID
> > > . . . . . . . . . . . : 335551968
> > > >> >    DHCPv6 Client DUID. .
> > > . . . . . . :
> > > >> >
> > > 00-01-00-01-12-0C-E2-7A-00-1E-37-CC-8D-DD
> > > >> >
> > > >>
> > > >    DNS Servers . . . . . . . . . . . : 2001:df8:0:1::25
> > > >>
> > > >                                        192.168.0.1
> > > >> >
> > >  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > >> >
> > >  NetBIOS over Tcpip. . . . . . . . : Enabled
> > > >> >
> > >
> > > >> > -Dave
> > > >> >
> > > >> > >
> > > -----Original Message-----
> > > >> > > From: Hui Deng [mailto:> ymailto="mailto:denghui02@gmail.com"
> > > href="mailto:denghui02@gmail.com">denghui02@gmail.com]
> > > >> >
> > > > Sent: Monday, April 05, 2010 7:40 PM
> > > >> > > To: Dan
> > > Wing; Gabriel Montenegro; Dave Thaler
> > > >> > > Cc: > ymailto="mailto:mif@ietf.org"
> > > href="mailto:mif@ietf.org">mif@ietf.org
> > > >> > > Subject:
> > > Re: [mif] draft-ietf-mif-current-practices-00
> > > >> > >
> > >
> > > >> > > DNS server always has specific interface related
> > > information,
> > > >> > > but the final DNS server will still be
> > > host based, I
> > > wouldn't say
> > > >> it
> > > >> >
> > > > is not correct.
> > > >> > >
> > > >> > > one
> > > example would be you have internet connection and vpn
> > > >>
> > > connection
> > > >> > > at the same time,
> > > >> >
> > > > good VPN implementation will always rely on VPN DNS server
> > > >>
> > > > information
> > > >> > > for Internet connection.
> > >
> > > >> > >
> > > >> > > -Hui
> > > >> >
> > > >
> > > >> > > 2010/3/31 Dan Wing <> ymailto="mailto:dwing@cisco.com"
> > > href="mailto:dwing@cisco.com">dwing@cisco.com>:
> > > >> >
> > > > > Section 3.2.1.3 of describes the DNS configuration
> > > of
> > > Windows,
> > > >> and
> > > >> > > says:
> > > >>
> > > > > >
> > > >> > > >  "Interface specific DNS
> > > configuration can be input
> > > via static
> > > >> > > >
> > > configuration or via DHCP.  It includes:
> > > >> > > >
> > >
> > > >> > > >   o  An interface-specific suffix list.
> > > >>
> > > > > >
> > > >> > > >   o  A list of DNS server IP
> > > addresses."
> > > >> > > >
> > > >> > > > It
> > > is curious that the first bullet repeats "interface
> > > >> >
> > > specific", but
> > > >> > > the
> > > >> > > >
> > > second bullet does not repeat it.  A reasonable
> > > interpretation
> > > is
> > > >> > > that the
> > > >> > > > second
> > > bullet is not interface-specific, but the
> > > lead-in sentence
> > >
> > > >> > > says this is
> > > >> > > >
> > > interface-specific.  I was hoping
> > > >> >
> > > draft-montenegro-mif-multihoming-00
> > > >> > > would
> > >
> > > >> > > > clarify, but it doesn't.
> > > >> > >
> > > >
> > > >> > > > -d
> > > >> > > >
> > >
> > > >> > > > _______________________________________________
> > >
> > > >> > > > mif mailing list
> > > >> > > > > ymailto="mailto:mif@ietf.org"
> > > href="mailto:mif@ietf.org">mif@ietf.org
> > > >> > > > > href="https://www.ietf.org/mailman/listinfo/mif"
> > target=_blank
> > > >https://www.ietf.org/mailman/listinfo/mif
> > > >> > >
> > > >
> > > >> >
> > > >>
> > > >
> > >
> > > >
> >
> > _______________________________________________
> > mif mailing
> > > list
> > > href="mailto:mif@ietf.org">mif@ietf.org
> > > href="https://www.ietf.org/mailman/listinfo/mif" target=_blank
> > > >https://www.ietf.org/mailman/listinfo/mif
> > _______________________________________________
> > mif mailing list
> > mif@ietf.org
> > https://www.ietf.org/mailman/listinfo/mif