Re: [DNSOP] Alexey Melnikov's Discuss on draft-ietf-dnsop-dns-capture-format-08: (with DISCUSS and COMMENT)

On Wed, Nov 21, 2018 at 1:27 PM Heather Flanagan wrote: > > On 11/21/18 9:33 AM, Warren Kumari wrote: > > [ - DNSOP (for clutter), +Heather / RFC Editor for sanity :-P ] > > On Wed, Nov 21, 2018 at 9:47 AM Sara Dickinson wrote: > >> >> >> On 21 Nov 2018, at 14:42, Alexey Melnikov wrote: >> >>

Re: [DNSOP] [Ext] Alexey Melnikov's Discuss on draft-ietf-dnsop-dns-capture-format-08: (with DISCUSS and COMMENT)

On Nov 26, 2018, at 5:44 PM, Warren Kumari wrote: > Actually, there is - the tcpdump man pages (and actually all of their > documentation!) lives in github - the version that this document references > is: >

Re: [DNSOP] [Ext] Favor: Weigh in on draft-ietf-ipsecme-split-dns?

This discussion would be better if people took warren’s example and then read the draft before commenting. I will watch the discussion before responding further. Thanks Paul Sent from mobile device > On Nov 27, 2018, at 01:43, Paul Hoffman wrote: > >> On Nov 26, 2018, at 10:36 AM, Ted

Re: [DNSOP] Alexey Melnikov's Discuss on draft-ietf-dnsop-dns-capture-format-08: (with DISCUSS and COMMENT)

[ + Paul Hoffman for real this time! ] On Mon, Nov 26, 2018 at 8:43 PM Warren Kumari wrote: > > > On Wed, Nov 21, 2018 at 1:27 PM Heather Flanagan > wrote: > >> >> On 11/21/18 9:33 AM, Warren Kumari wrote: >> >> [ - DNSOP (for clutter), +Heather / RFC Editor for sanity :-P ] >> >> On Wed, Nov

Re: [DNSOP] [Ext] Alexey Melnikov's Discuss on draft-ietf-dnsop-dns-capture-format-08: (with DISCUSS and COMMENT)

On Mon, Nov 26, 2018 at 8:58 PM Paul Hoffman wrote: > On Nov 26, 2018, at 5:44 PM, Warren Kumari wrote: > > Actually, there is - the tcpdump man pages (and actually all of their > documentation!) lives in github - the version that this document references > is: > > >

Re: [DNSOP] [Ext] Alexey Melnikov's Discuss on draft-ietf-dnsop-dns-capture-format-08: (with DISCUSS and COMMENT)

| filter | O | T | "tcpdump" [pcap] style filter for | | | | | input. | On Nov 26, 2018, at 6:05 PM, Warren Kumari wrote: > ... that is where we started. > The concern was what happens if there are new filters added, and

Re: [DNSOP] [Ext] Favor: Weigh in on draft-ietf-ipsecme-split-dns?

On Nov 26, 2018, at 7:59 PM, Paul Wouters wrote: > This discussion would be better if people took warren’s example and then read > the draft before commenting. I don't think that the answer changes much as a result of this, but it does change a little. You've obviously put a lot of thought

Re: [DNSOP] Benjamin Kaduk's Discuss on draft-ietf-dnsop-dns-capture-format-08: (with DISCUSS and COMMENT)

> > > On 27 Nov 2018, at 1:54 am, Tony Finch wrote: > > > > Richard Gibson wrote: > >> > >> I am currently going through a similar exercise in another context, and the > >> best current text there explicitly characterizes the non-obvious day-based > >> accounting of POSIX time. > > > >

Re: [DNSOP] Benjamin Kaduk's Discuss on draft-ietf-dnsop-dns-capture-format-08: (with DISCUSS and COMMENT)

Richard Gibson wrote: > > I am currently going through a similar exercise in another context, and the > best current text there explicitly characterizes the non-obvious day-based > accounting of POSIX time. In general I think it's best to just refer to POSIX on this matter, and not try to

[DNSOP] Favor: Weigh in on draft-ietf-ipsecme-split-dns?

Hi there DNSOP, I (and a number of IESG folken) would like some feedback / guidance on draft-ietf-ipsecme-split-dns. This document (which has gone through IESG eval, and on which I'm currently holding a DISCUSS) attempts to solve the problem of accessing internal domains when using a

Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme-split-dns?

Hi Warren, It seems to me that the intended use-case is access to corporate-like network environments where intranet.corporate-like. com might exist on the inside but not on the outside. Whether access is through a VPN or WPA2-protected WiFi or an RJ45

Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme-split-dns?

I think it's pretty clearly the case that the VPN provider should not be automatically assumed to be trusted. Most VPNs that people use nowadays aren't trustworthy in that sense. Also, I think that we should draw a hard line in the sand that it's never okay to override DNS trust. I can't

Re: [DNSOP] [Ext] Favor: Weigh in on draft-ietf-ipsecme-split-dns?

On Mon, Nov 26, 2018 at 1:29 PM Paul Hoffman wrote: > Once you are inside a network (the N in VPN), it's "my network, my policy" > all over again. > Can you unpack what you mean by this? I assume you don't mean that we should provide a mechanism whereby network operators can automatically

Re: [DNSOP] [Ext] Favor: Weigh in on draft-ietf-ipsecme-split-dns?

On 26 Nov 2018, at 13:28, Paul Hoffman wrote: > On Nov 26, 2018, at 8:17 AM, Warren Kumari wrote: >> As you can guess from the name, VPNs-R-Us is sketchy > > If you trust a VPN operator, you trust the VPN operator. What the rest of > your message is asking is "can I partially trust the VPN

Re: [DNSOP] [Ext] Favor: Weigh in on draft-ietf-ipsecme-split-dns?

On Nov 26, 2018, at 10:36 AM, Ted Lemon wrote: > On Mon, Nov 26, 2018 at 1:29 PM Paul Hoffman wrote: > Once you are inside a network (the N in VPN), it's "my network, my policy" > all over again. > > Can you unpack what you mean by this? I assume you don't mean that we > should provide a

Re: [DNSOP] [Ext] Favor: Weigh in on draft-ietf-ipsecme-split-dns?

In article you write: >> Can you unpack what you mean by this? I assume you don't mean that we >> should provide a mechanism whereby >network operators can automatically override DNSSEC trust anchors! > >For names that are only available within a trusted network, yes I really mean >that. I

Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme-split-dns?

If there's no delegation from the root, and it can be validated that there is no delegation from the root, then the attack surface that this draft provides is that your corporate private DNSSEC on foo.corp can be overridden by the VPN. So as you say, Tony, even in this case, the right way to do

Re: [DNSOP] Favor: Weigh in on draft-ietf-ipsecme-split-dns?

Joe Abley wrote: > > It seems to me that the intended use-case is access to corporate-like > network environments where intranet.corporate-like.com might exist on > the inside but not on the outside. More likely cases like corporate-like.local or corporate-like.int or like.corp etc. usw. :-(

[DNSOP] Protocol Action: 'DNS Attrleaf Changes: Fixing Specifications with Underscored Node Name Use' to Best Current Practice (draft-ietf-dnsop-attrleaf-fix-07.txt)

The IESG has approved the following document: - 'DNS Attrleaf Changes: Fixing Specifications with Underscored Node Name Use' (draft-ietf-dnsop-attrleaf-fix-07.txt) as Best Current Practice This document is the product of the Domain Name System Operations Working Group. The IESG contact

Re: [DNSOP] [Ext] Favor: Weigh in on draft-ietf-ipsecme-split-dns?

On Nov 26, 2018, at 8:17 AM, Warren Kumari wrote: > As you can guess from the name, VPNs-R-Us is sketchy If you trust a VPN operator, you trust the VPN operator. What the rest of your message is asking is "can I partially trust the VPN operator to do X but not Y, and have all that be

[DNSOP] Protocol Action: 'DNS Scoped Data Through "Underscore" Naming of Attribute Leaves' to Best Current Practice (draft-ietf-dnsop-attrleaf-16.txt)

The IESG has approved the following document: - 'DNS Scoped Data Through "Underscore" Naming of Attribute Leaves' (draft-ietf-dnsop-attrleaf-16.txt) as Best Current Practice This document is the product of the Domain Name System Operations Working Group. The IESG contact persons are Warren

Re: [DNSOP] Benjamin Kaduk's Discuss on draft-ietf-dnsop-dns-capture-format-08: (with DISCUSS and COMMENT)

Basically one needs to know if there is a leap second about to occur at the end of the month and direction and if you are in a leap second. That can be encoded in two bits. 00 no leap at end of UTC month 01 in additive leap second at end of UTC month 10 subtractive leap at end of