On Tue, 19 Jun 2018, Nico Williams wrote:
The I-D should say that clients MUST allow local configuration of what
domains to accept trust anchors for, and SHOULD allow local policy to
list . as a domain for which to accept trust anchors.
It already says so:
If a client is configured by local policy to only accept a limited
number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any
other INTERNAL_DNS_DOMAIN values.
However, "limited number" is confusing and it should be reworded to say
"to only accept certain specific domain names"
2. Because the current design also allows those trust anchors to sign TLSA
records, any TLS client which accepts those TLSA records is subject to MITM
by the VPN server
And SSHFP. And anything else that might be security-relevent (all of
DNS, really).
This definitely merits a Security Considerations note even if this
property were actually the point of this protocol.
That is all stated in section 6:
https://tools.ietf.org/html/draft-ietf-ipsecme-split-dns-08#section-6
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
