> On Jul 19, 2018, at 2:09 PM, Paul Wouters <p...@nohats.ca> wrote:
>
> On Thu, 19 Jul 2018, internet-dra...@ietf.org wrote:
>
>> Subject: [IPsec] I-D Action: draft-ietf-ipsecme-split-dns-11.txt
>
>> A diff from the previous version is available at:
>> https://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-split-dns-11
>
> This is probably wrong:
>
> Any INTERNAL_DNSSEC_TA attribute that is not immediately preceded by an
> INTERNAL_DNS_DOMAIN attribute MUST be ignored and treated as aprotocol
> error.
>
> Because you can have more then one INTERNAL_DNSSEC_TA for one domain.
> Instead, it should read:
>
> Any INTERNAL_DNSSEC_TA attribute that is not immediately preceded by an
> INTERNAL_DNS_DOMAIN or another INTERNAL_DNSSEC_TA attribute applying to
> the same domain name MUST be ignored and treated as a protocol error.
Good point, agreed on this text.
>
> From the previous diff, I'm confused about:
>
> IKE clients MUST use a preconfigured whitelist of one or more domain
> which it will allow INTERNAL_DNSSEC_TA updates.
>
> It could have an empty white list and use direct IP without split-dns ?
> Or use the VPN as an "encrypted DNS" provider for everything (which is
> allowed according to the spec, that is it does not violate a MUST NOT)
>
> Also, since we allow signaling of "upgrade your IKE config out of band"
> if you see a new unconfigured domain name in the reply, it could be that
> you start with 0 and get a new one. Which also requires an empty list.
That's fair. Can you propose a sentence here to replace with?
Tommy
>
> Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
