draft-ietf-ipsecme-split-dns-03.txt   draft-ietf-ipsecme-split-dns-04.txt 
Network T. Pauly Network T. Pauly
Internet-Draft Apple Inc. Internet-Draft Apple Inc.
Intended status: Standards Track P. Wouters Intended status: Standards Track P. Wouters
Expires: May 16, 2018 Red Hat Expires: July 26, 2018 Red Hat
November 12, 2017 January 22, 2018
Split DNS Configuration for IKEv2 Split DNS Configuration for IKEv2
draft-ietf-ipsecme-split-dns-03 draft-ietf-ipsecme-split-dns-04
Abstract Abstract
This document defines two Configuration Payload Attribute Types for This document defines two Configuration Payload Attribute Types for
the IKEv2 protocol that add support for private DNS domains. These the IKEv2 protocol that add support for private DNS domains. These
domains should be resolved using DNS servers reachable through an domains should be resolved using DNS servers reachable through an
IPsec connection, while leaving all other DNS resolution unchanged. IPsec connection, while leaving all other DNS resolution unchanged.
This approach of resolving a subset of domains using non-public DNS This approach of resolving a subset of domains using non-public DNS
servers is referred to as "Split DNS". servers is referred to as "Split DNS".
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 16, 2018. This Internet-Draft will expire on July 26, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 24 skipping to change at page 2, line 24
3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4
3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5
3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5
3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5
3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6
4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6
4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type . . . . 6 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type . . . . 6
4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7
5. Split DNS Usage Guidelines . . . . . . . . . . . . . . . . . 7 5. Split DNS Usage Guidelines . . . . . . . . . . . . . . . . . 7
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
8.1. Normative References . . . . . . . . . . . . . . . . . . 10 8.1. Normative References . . . . . . . . . . . . . . . . . . 10
8.2. Informative References . . . . . . . . . . . . . . . . . 10 8.2. Informative References . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction 1. Introduction
Split DNS is a common configuration for secure tunnels, such as Split DNS is a common configuration for secure tunnels, such as
Virtual Private Networks in which host machines private to an Virtual Private Networks in which host machines private to an
organization can only be resolved using internal DNS resolvers organization can only be resolved using internal DNS resolvers
skipping to change at page 8, line 37 skipping to change at page 8, line 37
using some other external DNS resolver(s), configured independently using some other external DNS resolver(s), configured independently
from IKE. Queries for these other domains MAY be sent to the from IKE. Queries for these other domains MAY be sent to the
internal DNS resolver(s) listed in that CFG_REPLY message, but have internal DNS resolver(s) listed in that CFG_REPLY message, but have
no guarantee of being answered. For example, if the no guarantee of being answered. For example, if the
INTERNAL_DNS_DOMAIN attribute specifies "example.com", then INTERNAL_DNS_DOMAIN attribute specifies "example.com", then
"example.com", "www.example.com" and "mail.eng.example.com" MUST be "example.com", "www.example.com" and "mail.eng.example.com" MUST be
resolved using the internal DNS resolver(s), but "anotherexample.com" resolved using the internal DNS resolver(s), but "anotherexample.com"
and "ample.com" SHOULD NOT be resolved using the internal resolver and "ample.com" SHOULD NOT be resolved using the internal resolver
and SHOULD use the system's external DNS resolver(s). and SHOULD use the system's external DNS resolver(s).
An initiator SHOULD ignore INTERNAL_DNS_DOMAIN attributes containing
domains that are designated Special Use Domain Names in [RFC6761],
such as "local", "localhost", "invalid", etc. Although it may
explicitly wish to support some Special Use Domain Names.
When an IKE SA is terminated, the DNS forwarding must be When an IKE SA is terminated, the DNS forwarding must be
unconfigured. The DNS forwarding itself MUST be be deleted. All unconfigured. The DNS forwarding itself MUST be be deleted. All
cached data of the INTERNAL_DNS_DOMAIN provided DNS domainis MUST be cached data of the INTERNAL_DNS_DOMAIN provided DNS domainis MUST be
flushed. This includes negative cache entries. Obtained DNSSEC flushed. This includes negative cache entries. Obtained DNSSEC
trust anchors MUST be removed from the list of trust anchors. The trust anchors MUST be removed from the list of trust anchors. The
outstanding DNS request queue MUST be cleared. outstanding DNS request queue MUST be cleared.
INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA attributes SHOULD only be INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA attributes SHOULD only be
used on split tunnel configurations where only a subset of traffic is used on split tunnel configurations where only a subset of traffic is
routed into a private remote network using the IPsec connection. If routed into a private remote network using the IPsec connection. If
skipping to change at page 9, line 44 skipping to change at page 9, line 42
public DNS view, for which it has not explicitely requested such public DNS view, for which it has not explicitely requested such
deletation by specifying the domain specifically using a deletation by specifying the domain specifically using a
INTERNAL_DNS_DOMAIN(domain) request. INTERNAL_DNS_DOMAIN(domain) request.
A domain that is served via INTERNAL_DNS_DOMAIN should pay close A domain that is served via INTERNAL_DNS_DOMAIN should pay close
attention to their use of indirect reference RRtypes such as CNAME, attention to their use of indirect reference RRtypes such as CNAME,
DNAME, MX or SRV records so that resolving works as intended when DNAME, MX or SRV records so that resolving works as intended when
all, some or none of the IPsec connections are established. all, some or none of the IPsec connections are established.
The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be
passed to another (DNS) program for processing. The content MUST be passed to another (DNS) program for processing. As with any network
verified and sanitized before passing it to other software. For input, the content should be considered untrusted and handled
example, domain names are limited to alphanumeric characters and the accordingly.
minus ("-") and underscore ("_") symbol and if other other characters
are present, the entire payload could be ignored and not passed to
DNS software, or the malicious characters could be filtered out
before passing the payload to DNS software.
7. IANA Considerations 7. IANA Considerations
This document defines two new IKEv2 Configuration Payload Attribute This document defines two new IKEv2 Configuration Payload Attribute
Types, which are allocated from the "IKEv2 Configuration Payload Types, which are allocated from the "IKEv2 Configuration Payload
Attribute Types" namespace. Attribute Types" namespace.
Multi- Multi-
Value Attribute Type Valued Length Reference Value Attribute Type Valued Length Reference
------ ------------------- ------ ---------- --------------- ------ ------------------- ------ ---------- ---------------
skipping to change at page 11, line 5 skipping to change at page 10, line 48
Kivinen, "Internet Key Exchange Protocol Version 2 Kivinen, "Internet Key Exchange Protocol Version 2
(IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
2014, <https://www.rfc-editor.org/info/rfc7296>. 2014, <https://www.rfc-editor.org/info/rfc7296>.
8.2. Informative References 8.2. Informative References
[RFC2775] Carpenter, B., "Internet Transparency", RFC 2775, [RFC2775] Carpenter, B., "Internet Transparency", RFC 2775,
DOI 10.17487/RFC2775, February 2000, <https://www.rfc- DOI 10.17487/RFC2775, February 2000, <https://www.rfc-
editor.org/info/rfc2775>. editor.org/info/rfc2775>.
[RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names",
RFC 6761, DOI 10.17487/RFC6761, February 2013,
<https://www.rfc-editor.org/info/rfc6761>.
[RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection
Most of the Time", RFC 7435, DOI 10.17487/RFC7435, Most of the Time", RFC 7435, DOI 10.17487/RFC7435,
December 2014, <https://www.rfc-editor.org/info/rfc7435>. December 2014, <https://www.rfc-editor.org/info/rfc7435>.
Authors' Addresses Authors' Addresses
Tommy Pauly Tommy Pauly
Apple Inc. Apple Inc.
1 Infinite Loop 1 Infinite Loop
Cupertino, California 95014 Cupertino, California 95014
 End of changes. 8 change blocks. 
22 lines changed or deleted 9 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/