Scott,
Thank you very much for suggesting using the Globally unique domain name and
having subdomains not resolvable outside the organization. . I took some of
your wording into the section. Please let us know if the description can be
improved.
3.4. DNS for Cloud Resources
DNS name resolution is essential for on-premises and cloud-based
resources. For customers with hybrid workloads, which include on-premises and
cloud-based resources, extra steps are necessary to configure DNS to work
seamlessly across both environments.
Cloud operators have their own DNS to resolve resources within their
Cloud DCs and to well-known public domains. Cloud's DNS can be configured to
forward queries to customer managed authoritative DNS servers hosted
on-premises, and to respond to DNS queries forwarded by on-premises DNS
servers..
For enterprises utilizing Cloud services by different cloud operators, it
is necessary to establish policies and rules on how/where to forward DNS
queries to. When applications in one Cloud need to communication with
applications hosted in another Cloud, there could be DNS queries from one Cloud
DC being forwarded to the enterprise's on premise DNS, which in turn be
forwarded to the DNS service in another Cloud. Needless to say, configuration
can be complex depending on the application communication patterns.
However, even with carefully managed policies and configurations,
collisions can still occur. If you use an internal name like .cloud and then
want your services to be available via or within some other cloud provider
which also uses .cloud, then it can't work. Therefore, it is better to use the
global domain name even when an organization does not make all its namespace
globally resolvable. An organization's globally unique DNS can include
subdomains that cannot be resolved at all outside certain restricted paths,
zones that resolve differently based on the origin of the query and zones that
resolve the same globally for all queries from any source.
Globally unique names do not equate to globally resolvable names or even
global names that resolve the same way from every perspective. Globally unique
names do prevent any possibility of collision at the present or in the future
and they make DNSSEC trust manageable. It's not as if there is or even could be
some sort of shortage in available names that can be used, especially
subdomains and the ability to delegate administrative boundaries are considered.
Linda
-----Original Message-----
From: Morizot Timothy S <timothy.s.mori...@irs.gov>
Sent: Wednesday, February 12, 2020 6:35 AM
To: Paul Vixie <p...@redbarn.org>; dnsop@ietf.org; Paul Ebersman
<ebersman-i...@dragon.net>
Cc: Linda Dunbar <linda.dun...@futurewei.com>
Subject: RE: [DNSOP] Solicit feedback on the problems of DNS for Cloud
Resources described by the draft-ietf-rtgwg-net2cloud-problem-statement
Paul Vixie wrote:
>if the names are global then they will be unique and DNS itself will
>handle the decision of how to route questions to the right authority servers.
>...
>first i hope you can explain why the simpler and existing viral DNS
>paradigm (all names are global and unique) is unacceptable for your purpose.
I wanted to highlight the central point Paul Vixie made and note that it
applies even when an organization does not make all its namespace globally
resolvable. An organization's globally unique DNS can include subdomains that
cannot be resolved at all outside certain restricted paths, zones that resolve
differently based on the origin of the query and zones that resolve the same
globally for all queries from any source. Globally unique names do not equate
to globally resolvable names or even global names that resolve the same way
from every perspective. Globally unique names do prevent any possibility of
collision at the present or in the future and they make DNSSEC trust
manageable. (Both of those are significant concerns for my organization.) It's
not as if there is or even could be some sort of shortage in available names
that can be used, especially subdomains and the ability to delegate
administrative boundaries are considered.
I would also like to understand why global and unique names are unacceptable.
Thanks,
Scott
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
