On Thu, 19 Jul 2018, [email protected] wrote:
Subject: [IPsec] I-D Action: draft-ietf-ipsecme-split-dns-11.txt
A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-split-dns-11
This is probably wrong:
Any INTERNAL_DNSSEC_TA attribute that is not immediately preceded by an
INTERNAL_DNS_DOMAIN attribute MUST be ignored and treated as aprotocol
error.
Because you can have more then one INTERNAL_DNSSEC_TA for one domain.
Instead, it should read:
Any INTERNAL_DNSSEC_TA attribute that is not immediately preceded by an
INTERNAL_DNS_DOMAIN or another INTERNAL_DNSSEC_TA attribute applying to
the same domain name MUST be ignored and treated as a protocol error.
From the previous diff, I'm confused about:
IKE clients MUST use a preconfigured whitelist of one or more domain
which it will allow INTERNAL_DNSSEC_TA updates.
It could have an empty white list and use direct IP without split-dns ?
Or use the VPN as an "encrypted DNS" provider for everything (which is
allowed according to the spec, that is it does not violate a MUST NOT)
Also, since we allow signaling of "upgrade your IKE config out of band"
if you see a new unconfigured domain name in the reply, it could be that
you start with 0 and get a new one. Which also requires an empty list.
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
