Paul, Thank you very much for the explanation.
I think the confusion comes from people like me who have been extensively working with MPLS VPN, with "internal network" communication not protected, whereas your draft assumes "internal network" as the one being interconnected by "IPsec" tunnel. Correct? Since the draft is to be read by general public once it becomes RFC, suggest you add a note to explain your "internal network". Linda -----Original Message----- From: Paul Wouters [mailto:[email protected]] Sent: Tuesday, January 23, 2018 4:17 PM To: Linda Dunbar <[email protected]> Cc: [email protected] WG <[email protected]> Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-split-dns-04.txt On Tue, 23 Jan 2018, Linda Dunbar wrote: Hi Linda, > Introduction: > > Is "Split DNS" less about "configuration for the secure tunnels", but > more about having two zones, one to be used by the internal network, the > other used by the external network? > Basically Split DNS directs internal hosts to an internal domain name > server for name resolution and external hosts are directed to an external > domain name server for name resolution. > > Is it correct? If yes, the requests from internal network (the network within > VPN) may not be via tunnel, isn't it? That is correct. The initial draft did have that requirement, but Tero pointed out correctly that you might be setting up multiple tunnels, and in fact one might be _to_ the internal DNS server, which could come up on demand. So we left out any restrictions of the DNS request actually going over the initial tunnel. Image you have a configuration for two remote subnets, 10.0.1.0/24 and 10.0.2.0/24. And your nameserver is on 10.0.1.1. But your initial IKE_INIT/IKE_AUTH requests are triggerd by a packer for 10.0.2.1. You would get the DNS information, but the CHILD SA would not be covering that IP. But if you just send a DNS packet to 10.0.1.1, the existing IKE SA would send a CREATE_CHILD_SA to initiate a second IPsec SA for the other range. > Or your "split DNS" is about one DNS with some domain name resolution > requests are from IPSec tunnels and others are not? The split-DNS refers to "internal only" DNS zones, that presumably are only accessable over the remote access VPN, for which the VPN client needs to be told about by the server which domains these are and where to find nameservers for them and what DNSSEC key might sign them. Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
