On Thu, 12 Jan 2017, Tero Kivinen wrote:
I might not want to trust the VPN gateway of our partner claiming to
be authorative for mycompany.com, i.e., I will have policy limiting
what is accepted from the gateway.
Also when using opportunistic authentication we might want to have
even strictier policies.
OK, then it contradicts with your own comment that all requests to
INTERNAL_DNS_DOMAIN MUST be done using internal DNS server.
Quoting your message:
I think the 1st point (I.e. all requests about internal names go to
the internal servers) is something that is important for security, so
it should perhaps be MUST.
At least it must be clarified.
Yes, and No. If the client rejects the INTERNAL_DNS_DOMAIN because of
policy reasons, then it is not internal name anymore, thus it can use
DNS server configured elsewhere. But yes, I agree there should be
clarification explaining that only those internal names client
accepted must use internal servers...
Remember ipsec is peer to peer, not client to server :)
The idea is that the client can convey information of which DNS it will
allow to be stolen and the server can convey which DNS it is serving
that is expected to be an internal dns domain (eg different from outside
worldview).
This is not about the server offering a DNS server to take all your
queries. For that, I believe you can use the existing options, and
those are outside the scope of this document.
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
