Please send your comments to the revised draft-ietf-rtgwg-net2cloud-problem-statement based on comments from DNSop experts
Linda Dunbar <linda.dunbar@futurewei.com> Wed, 19 February 2020 22:54 UTC
Return-Path: <linda.dunbar@futurewei.com>
X-Original-To: rtgwg@ietfa.amsl.com
Delivered-To: rtgwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E774120820 for <rtgwg@ietfa.amsl.com>; Wed, 19 Feb 2020 14:54:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OifnjZzO-9tc for <rtgwg@ietfa.amsl.com>; Wed, 19 Feb 2020 14:54:54 -0800 (PST)
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2128.outbound.protection.outlook.com [40.107.244.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 388FC1200C7 for <rtgwg@ietf.org>; Wed, 19 Feb 2020 14:54:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Zi9yKf2rfyQ1i18BzOiesyZ3coTp5OUHvkc+mvq3AR2cgyuYao2GymB0DBWIaPlwMdPVR48G3wz3+kpE9D9u03dTnxgCUfm0RvQJEhMQTIsWckaK3qOcfwi/NSMT67ppvwOQW1WopcRN8CYS1LB+B5Rdz9nFeajJZyLNlGwVLnRFgMNIa7esPCeTYbKDd+HLRwlmW7F/WOVs0FD9EoObuJJK3FlcZ68qCxyEorisK2Wn46aCpi+FphvpjfpJKjF3xh0bVbPOVUE2QLqiAx7wc1JG50xnXFHYGE5+GbGyifEbv/4MXUI++QfpjA4HK+k8MUcmRAUNUHPo401BMCpPyg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/PW+lMr9WUEYsUjKL9eLHebVKPfrE9xH7ePvdghaTag=; b=U48OaZZxt780gFzvda6pA61g2WzWuXbIC4eRl22/Rd4WjsWtWGHDj6c1VQqNbACo/IoZB0Qql1ypHDoGntONl6DsiNv2DDiDVk3Q7ZDBFOloNWdTvOhOvx5XcNBXe5ImhkgUfxbtE0NevPLaJ0Hk2MEohyMQdIZMBDFk+0jpcNU/YJZeaSXC0NreVWJVritGXVQDcMvd3KV4TVJFxZLn3nez1x6tkJPcMRGOVsUN7E3sy+Ywjsp1iL2bS4YCrUucq2MJj0EtauPqXS0UBCAEBKgqUCuLhAInHCsdncIhVM8Zgeml5cKalsWj6nvR2m/M6TsD5ve6KTlil9nZWib/OQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=futurewei.com; dmarc=pass action=none header.from=futurewei.com; dkim=pass header.d=futurewei.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/PW+lMr9WUEYsUjKL9eLHebVKPfrE9xH7ePvdghaTag=; b=iXfZ+7KoZ886iH8qMNFX+yYu4m32UP9KZ7zV6OFmQ+MQCecQ5KY4hESxnL59wQmU1i0ZcmvNO+gvTYhdlgJ6PS3T6CnVI2zpP83100eNyngcIaXhJhm51raPnWMvwgWOLCIZPy2N1cTU0zCk4jmQjEVoYGoE7pELRengz72kJQc=
Received: from MWHPR1301MB2096.namprd13.prod.outlook.com (10.174.170.35) by MWHPR1301MB1887.namprd13.prod.outlook.com (10.174.166.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.9; Wed, 19 Feb 2020 22:54:52 +0000
Received: from MWHPR1301MB2096.namprd13.prod.outlook.com ([fe80::e893:a912:1d3a:5a33]) by MWHPR1301MB2096.namprd13.prod.outlook.com ([fe80::e893:a912:1d3a:5a33%6]) with mapi id 15.20.2750.016; Wed, 19 Feb 2020 22:54:52 +0000
From: Linda Dunbar <linda.dunbar@futurewei.com>
To: Alia Atlas <akatlas@gmail.com>, RTGWG <rtgwg@ietf.org>
Subject: Please send your comments to the revised draft-ietf-rtgwg-net2cloud-problem-statement based on comments from DNSop experts
Thread-Topic: Please send your comments to the revised draft-ietf-rtgwg-net2cloud-problem-statement based on comments from DNSop experts
Thread-Index: AdXndAfsPpBmOSxBTG+jYR/xgj5axQ==
Date: Wed, 19 Feb 2020 22:54:51 +0000
Message-ID: <MWHPR1301MB2096A619892ADB57D2D14A7885100@MWHPR1301MB2096.namprd13.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=linda.dunbar@futurewei.com;
x-originating-ip: [12.111.81.95]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ed6bc8a5-1298-4cdb-8154-08d7b58ebad2
x-ms-traffictypediagnostic: MWHPR1301MB1887:
x-microsoft-antispam-prvs: <MWHPR1301MB1887219B93D4DB06A90D1B6C85100@MWHPR1301MB1887.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 0318501FAE
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(346002)(366004)(376002)(39850400004)(396003)(136003)(199004)(189003)(2906002)(33656002)(9686003)(71200400001)(55016002)(316002)(478600001)(966005)(66946007)(8936002)(66446008)(186003)(81156014)(7696005)(5660300002)(8676002)(81166006)(66476007)(64756008)(6506007)(44832011)(110136005)(52536014)(66556008)(26005)(76116006)(53546011)(86362001)(71440200001); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR1301MB1887; H:MWHPR1301MB2096.namprd13.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: futurewei.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: OTuLHo/Lz7TRgTLdbEsdaWU9a5mscVERktaRHM9z8BkoUPCjQ87AeOM3Za5Ws59nOCELg3r0U4an/EQ4B7KRm93UP9LNi1rpzNgUEo5/yH8aB+6xlBBww+T1heEdPlfMjEYtibUnSUQq5pNbyOVuUZvEWz30Wixr/JfSqLgCH3sVuXXnOEk5/fSKFaFWzdGm36dl1FWoztF93hhmShGwzGoIvZ+xgQzkipUgGMgA4K7WhCvyM/GvxKzzCFuBLkRIr2aCVteFdNXhU28yd5KyWWJVKpXNxT8p1dSAR9QS7cwdpb5Ra+4VjY1ovYMKRZBjy6HfwnEhA6Mhj/S8zcSb6tw+neEdv5BXB6SH5dS2O6c7G9Y1Yc05nM620rSAiDrZdBveWnczHJTHu1bCstQea9SVvh3B2vRYztXVvWbk0NY8HcS18AtUaUGchqMlqmOtpLHlark66p6Ue7UbKyOsXWAt2ROmMsycAS5+RqUPgFYGiUioQrkgSMZlNgMZwsL9GA1Yjfjt2bFd26IeNeTfYsS86mLiL+OCNRVR8OcUjegNgYKNe+gnaYt2jAGFwsy8MeeTPr/kWsx+hFUwf72MPQ==
x-ms-exchange-antispam-messagedata: QX/9bhvomab49Y5PDKXm/G4+LI6B6h6tdHl2PKpjoGlQ7Z818Nd5FeD/wnQfsJYMD4d+24XfWVXVGrnl34te5wLE09L0jeU2gFy5n9OALSLHLIp55Pwcy9rjgx3gzNv3FXVeljUf47ZBMv1UqB+XUw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MWHPR1301MB2096A619892ADB57D2D14A7885100MWHPR1301MB2096_"
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ed6bc8a5-1298-4cdb-8154-08d7b58ebad2
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Feb 2020 22:54:51.8586 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6iDEjHESAlc++uO46roEUvYfj2aCuH4pl9r3HFS4+Y1oK2IwH4/OBprrb4Q0Qukg2xFSlVQ+YsgF7wdhRVxdgA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR1301MB1887
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtgwg/P52JqQP-B-FXcQpw__jRtRkmZEk>
X-BeenThere: rtgwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Routing Area Working Group <rtgwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtgwg/>
List-Post: <mailto:rtgwg@ietf.org>
List-Help: <mailto:rtgwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Feb 2020 22:55:00 -0000
Alia This revised version covers the problems associated with Identity Management, API abstraction, DNS/NAT service by different Cloud Operators for Enterprise to utilize Cloud Resources which you had suggested in IETF106. At NANOG 78, we had extensive discussion with DNS experts on the DNS related problems for Hybrid Cloud and have got very good constructive comments on the mailing list from DNSOP experts. Here is the revised draft that incorporate the discussion. https://datatracker.ietf.org/doc/draft-ietf-rtgwg-net2cloud-problem-statement/ Can you please review this revision? Can you suggest other experts or IETF groups to review the Identity Management, API abstraction and NAT which are added to the document? We would like to move this document forward and draw closure. The document has been in RTGwg for over a year. Thank you very much. Linda From: Linda Dunbar Sent: Friday, February 14, 2020 3:04 PM To: Scott Morizot <tmorizot@gmail.com> Cc: Morizot Timothy S <timothy.s.morizot@irs.gov>; Paul Vixie <paul@redbarn.org>; dnsop@ietf.org; Paul Ebersman <ebersman-ietf@dragon.net>; RTGWG <rtgwg@ietf.org> Subject: RE: [DNSOP] Solicit feedback on the problems of DNS for Cloud Resources described by the draft-ietf-rtgwg-net2cloud-problem-statement Scott, Thank you. It makes sense now. i.e. some zones resolve differently based on the origins of the query, and some zones resolve the same globally for all queries from any source. Linda From: Scott Morizot <tmorizot@gmail.com<mailto:tmorizot@gmail.com>> Sent: Friday, February 14, 2020 2:11 PM To: Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>> Cc: Morizot Timothy S <timothy.s.morizot@irs.gov<mailto:timothy.s.morizot@irs.gov>>; Paul Vixie <paul@redbarn.org<mailto:paul@redbarn.org>>; dnsop@ietf.org<mailto:dnsop@ietf.org>; Paul Ebersman <ebersman-ietf@dragon.net<mailto:ebersman-ietf@dragon.net>>; RTGWG <rtgwg@ietf.org<mailto:rtgwg@ietf.org>> Subject: Re: [DNSOP] Solicit feedback on the problems of DNS for Cloud Resources described by the draft-ietf-rtgwg-net2cloud-problem-statement Ah. Should have used the Oxford comma for clarity. I'm normally one of the people who always uses it so that was probably an accidental omission. There should be a comma before that last 'and'. I was describing the three possible states for any query and response. We have all three scenarios in production so it's critical to understand which one covers a given name when troubleshooting issues. In each scenario, though, the name itself is unique and in a domain tree over which we have global administrative control. On Fri, Feb 14, 2020, 10:22 Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>> wrote: Scott, Thank you very much for the suggested changes. For the following sentence, do you you that different paths/zones can resolve differently based on the origin of the query and zones? Then what do you mean by adding the subphrase that “that resolve the same globally for all queries from any source”? An organization's globally unique DNS can include subdomains that cannot be resolved at all outside certain restricted paths, zones that resolve differently based on the origin of the query and zones that resolve the same globally for all queries from any source. Thank you, Linda From: Morizot Timothy S <Timothy.S.Morizot@irs.gov<mailto:Timothy.S.Morizot@irs.gov>> Sent: Thursday, February 13, 2020 6:23 AM To: Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>>; Paul Vixie <paul@redbarn.org<mailto:paul@redbarn.org>>; dnsop@ietf.org<mailto:dnsop@ietf.org>; Paul Ebersman <ebersman-ietf@dragon.net<mailto:ebersman-ietf@dragon.net>> Cc: RTGWG <rtgwg@ietf.org<mailto:rtgwg@ietf.org>> Subject: RE: [DNSOP] Solicit feedback on the problems of DNS for Cloud Resources described by the draft-ietf-rtgwg-net2cloud-problem-statement Linda Dunbar wrote: >Thank you very much for suggesting using the Globally unique domain name and having subdomains not resolvable outside the organization. >I took some of your wording into the section. Please let us know if the description can be improved. Thanks. I think that covers a reasonable approach to avoid collisions and ensure resolution and validation occur as desired by the organization with administrative control over the domains used. I realized I accidentally omitted a ‘when’ that makes the last sentence scan properly. In the process, I noticed what looked like a couple of other minor edits that could improve readability.. I did not see any substantive issues with the revised text but did include those minor proposed edits below. Scott 3.4. DNS for Cloud Resources DNS name resolution is essential for on-premises and cloud-based resources. For customers with hybrid workloads, which include on-premises and cloud-based resources, extra steps are necessary to configure DNS to work seamlessly across both environments. Cloud operators have their own DNS to resolve resources within their Cloud DCs and to well-known public domains. Cloud’s DNS can be configured to forward queries to customer managed authoritative DNS servers hosted on-premises, and to respond to DNS queries forwarded by on-premises DNS servers. For enterprises utilizing Cloud services by different cloud operators, it is necessary to establish policies and rules on how/where to forward DNS queries. When applications in one Cloud need to communicate with applications hosted in another Cloud, there could be DNS queries from one Cloud DC being forwarded to the enterprise’s on premise DNS, which in turn can be forwarded to the DNS service in another Cloud. Needless to say, configuration can be complex depending on the application communication patterns. However, even with carefully managed policies and configurations, collisions can still occur. If you use an internal name like ..cloud and then want your services to be available via or within some other cloud provider which also uses .cloud, then it can't work. Therefore, it is better to use the global domain name even when an organization does not make all its namespace globally resolvable. An organization's globally unique DNS can include subdomains that cannot be resolved at all outside certain restricted paths, zones that resolve differently based on the origin of the query and zones that resolve the same globally for all queries from any source. Globally unique names do not equate to globally resolvable names or even global names that resolve the same way from every perspective. Globally unique names do prevent any possibility of collision at the present or in the future and they make DNSSEC trust manageable. It's not as if there is or even could be some sort of shortage in available names that can be used, especially when subdomains and the ability to delegate administrative boundaries are considered. _______________________________________________ DNSOP mailing list DNSOP@ietf.org<mailto:DNSOP@ietf.org> https://www.ietf.org/mailman/listinfo/dnsop<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fdnsop&data=02%7C01%7Clinda.dunbar%40futurewei.com%7C2f789148051e4b79942d08d7b18a0b58%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637173078791030675&sdata=E3CpblukdDt43XnDlq34RgUlYyAPc1GW4uxqT8o1KSo%3D&reserved=0>
- Please send your comments to the revised draft-ie… Linda Dunbar