On Thu, 23 Mar 2017, Tero Kivinen wrote:
then someone manages to tear down the VPN connection, and suddenly all
these mappings go away, the next time your mail client tries to fetch
email, it does mail.example.com lookup using external DNS servers, and
will get IP-address of 1.1.1.1 from
A very real use case is OSPFv3 authentication (RFC 4552), all major router
vendor supports OSPFv3 implement that, and it is deployed around world;
Plus I don't see any realistic alternative for the use case
> -Original Message-
> From: IPsec [mailto:ipsec-boun...@ietf.org] On Behalf Of
>
> On Mar 23, 2017, at 5:37 AM, Tero Kivinen wrote:
>
> Paul Wouters writes:
>>> -3: I wonder why "... is not to be used..." is not "... MUST NOT be
>>> used...". But the section goes on to say if you do it anyway, you MUST
>>> NOT use certain cryptosuites. So, does "... is not
Paul Wouters writes:
> > -3: I wonder why "... is not to be used..." is not "... MUST NOT be
> > used...". But the section goes on to say if you do it anyway, you MUST
> > NOT use certain cryptosuites. So, does "... is not to be used..." mean
> > "SHOULD NOT"? Or is this one of those "MUST NOT BUT
Paul Wouters writes:
> > When an IPsec connection is terminated, the DNS forwarding must be
> > unconfigured. The DNS forwarding itself MUST be be deleted. All
> > cached data of the INTERNAL_DNS_DOMAIN provided DNS domainis MUST be
> > flushed. This includes negative cache entries.