On Tue, 23 Jan 2018, Linda Dunbar wrote:
Thank you very much for the explanation.
I think the confusion comes from people like me who have been extensively working with MPLS VPN, with
"internal network" communication not protected, whereas your draft assumes "internal
network" as the one being interconnected by "IPsec" tunnel. Correct?
Since the draft is to be read by general public once it becomes RFC, suggest you add a
note to explain your "internal network".
I will talk to Tommy and see about if we should clarify this some more
in the introduction of the document.
Thanks,
Paul
Linda
-----Original Message-----
From: Paul Wouters [mailto:[email protected]]
Sent: Tuesday, January 23, 2018 4:17 PM
To: Linda Dunbar <[email protected]>
Cc: [email protected] WG <[email protected]>
Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-split-dns-04.txt
On Tue, 23 Jan 2018, Linda Dunbar wrote:
Hi Linda,
Introduction:
Is "Split DNS" less about "configuration for the secure tunnels", but
more about having two zones, one to be used by the internal network, the other
used by the external network?
Basically Split DNS directs internal hosts to an internal domain name
server for name resolution and external hosts are directed to an external
domain name server for name resolution.
Is it correct? If yes, the requests from internal network (the network within
VPN) may not be via tunnel, isn't it?
That is correct. The initial draft did have that requirement, but Tero pointed
out correctly that you might be setting up multiple tunnels, and in fact one
might be _to_ the internal DNS server, which could come up on demand. So we
left out any restrictions of the DNS request actually going over the initial
tunnel. Image you have a configuration for two remote subnets, 10.0.1.0/24 and
10.0.2.0/24. And your nameserver is on 10.0.1.1. But your initial
IKE_INIT/IKE_AUTH requests are triggerd by a packer for 10.0.2.1. You would get
the DNS information, but the CHILD SA would not be covering that IP. But if you
just send a DNS packet to 10.0.1.1, the existing IKE SA would send a
CREATE_CHILD_SA to initiate a second IPsec SA for the other range.
Or your "split DNS" is about one DNS with some domain name resolution requests
are from IPSec tunnels and others are not?
The split-DNS refers to "internal only" DNS zones, that presumably are only
accessable over the remote access VPN, for which the VPN client needs to be told about by
the server which domains these are and where to find nameservers for them and what DNSSEC
key might sign them.
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
