Re: [IPsec] Split DNS in IKEv2 Configuration Payload

2015-09-24 Thread Tommy Pauly 
Hello all,

Based on the conversation on the IPSec list previously about supporting Split 
DNS in IKEv2, Paul and I have written up a draft to add support for Split DNS 
(as well as DNSSEC) to the configuration attributes for IKEv2.

We’d like to get feedback from the working group about the level of interest in 
this topic, and if people would like to work on adopting it.

Thanks!
Tommy

===

A new version of I-D, draft-pauly-ipsecme-split-dns-00.txt
has been successfully submitted by Tommy Pauly and posted to the
IETF repository.

Name:   draft-pauly-ipsecme-split-dns
Revision:   00
Title:  Split-DNS Configuration for IKEv2 
Document date:  2015-09-24
Group:  Individual Submission
Pages:  10
URL:
https://www.ietf.org/internet-drafts/draft-pauly-ipsecme-split-dns-00.txt 

Status: https://datatracker.ietf.org/doc/draft-pauly-ipsecme-split-dns/ 

Htmlized:   https://tools.ietf.org/html/draft-pauly-ipsecme-split-dns-00 



Abstract:
  This document defines two new Configuration Payload Attribute Types
  for the IKEv2 protocol that together define a set of private DNS
  domains which should be resolved by DNS servers reachable through an
  IPsec connection, while leaving all other DNS resolution unchanged.
  This allows for split-DNS views for multiple domains and includes
  support for private DNSSEC trust anchors.  The information obtained
  via the new attribute types can be used to reconfigure a locally
  running DNS server with DNS forwarding for specific private domains.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org 
.

The IETF Secretariat

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Split DNS in IKEv2 Configuration Payload

2015-09-24 Thread Paul Wouters 

On Thu, 24 Sep 2015, Tommy Pauly wrote:


We’d like to get feedback from the working group about the level of interest in 
this topic, and if people would like to work on adopting it.


One item we were not sure about is the format of the INTERNAL_DNSSEC_TA.

While a DS record is shorter and nicer and easier to add as configuration
option, it requires the initiator to do an (insecure?) DNS request for
the DNSKEY, then convert/verify it with with the DS record. It would be
easier for the client to be given the DNSKEY.

But DNSKEYs are much bigger and unwielding and would be pretty ugly in
configuration files on the responder side.

Paul

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec