On Tue, 20 Nov 2018, Spencer Dawkins wrote:
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------
Perhaps it would be helpful to give an example of why
A client using these configuration payloads will be able to request
and receive Split DNS configurations using the INTERNAL_DNS_DOMAIN
and INTERNAL_DNSSEC_TA configuration attributes. The client device
can use the internal DNS server(s) for any DNS queries within the
assigned domains. DNS queries for other domains SHOULD be sent to
the regular external DNS server.
DNS queries for other domains might not be sent to the regular external DNS
server? I'm thinking of one, but I'm flat-out guessing.
I think you are right, and we are mixing up INTERNAL_IP4_DNS with
INTERNAL_DNS_DOMAIN.
the idea is that the client can decide to not only use some
authoritative internal servers, but also use some recursive internal
servers. But I think those should be specified in the exiting
INTERNAL_IP4_DNS / INTERNAL_IP6_DNS attributes.
I suggest we change the above to:
A client using these configuration payloads will be able to request
and receive Split DNS configurations using the INTERNAL_DNS_DOMAIN
and INTERNAL_DNSSEC_TA configuration attributes. The client device
can use the internal DNS server(s) for any DNS queries within the
assigned domains. DNS queries for other domains MAY be sent to
an internal recursive DNS server specified in an INTERNAL_IP4_DNS
or INTERNAL_IP6_DNS Configuration Payload but MAY also be resolved
using the client's regular DNS resolving mechanisms outside of the
IPsec connection.
Tommy, let me know what you think about this change?
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec