draft-ietf-ipsecme-split-dns-06.txt   draft-ietf-ipsecme-split-dns-07.txt 
Network T. Pauly Network T. Pauly
Internet-Draft Apple Inc. Internet-Draft Apple Inc.
Intended status: Standards Track P. Wouters Intended status: Standards Track P. Wouters
Expires: August 13, 2018 Red Hat Expires: August 31, 2018 Red Hat
February 9, 2018 February 27, 2018
Split DNS Configuration for IKEv2 Split DNS Configuration for IKEv2
draft-ietf-ipsecme-split-dns-06 draft-ietf-ipsecme-split-dns-07
Abstract Abstract
This document defines two Configuration Payload Attribute Types for This document defines two Configuration Payload Attribute Types for
the IKEv2 protocol that add support for private DNS domains. These the IKEv2 protocol that add support for private DNS domains. These
domains should be resolved using DNS servers reachable through an domains are intended to be resolved using DNS servers reachable
IPsec connection, while leaving all other DNS resolution unchanged. through an IPsec connection, while leaving all other DNS resolution
This approach of resolving a subset of domains using non-public DNS unchanged. This approach of resolving a subset of domains using non-
servers is referred to as "Split DNS". public DNS servers is referred to as "Split DNS".
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 13, 2018. This Internet-Draft will expire on August 31, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
skipping to change at page 2, line 21 skipping to change at page 2, line 21
2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 3 3. Protocol Exchange . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Configuration Request . . . . . . . . . . . . . . . . . . 4 3.1. Configuration Request . . . . . . . . . . . . . . . . . . 4
3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4 3.2. Configuration Reply . . . . . . . . . . . . . . . . . . . 4
3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5 3.3. Mapping DNS Servers to Domains . . . . . . . . . . . . . 5
3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5 3.4. Example Exchanges . . . . . . . . . . . . . . . . . . . . 5
3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5 3.4.1. Simple Case . . . . . . . . . . . . . . . . . . . . . 5
3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6 3.4.2. Requesting Domains and DNSSEC trust anchors . . . . . 6
4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6 4. Payload Formats . . . . . . . . . . . . . . . . . . . . . . . 6
4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request
and Reply . . . . . . . . . . . . . . . . . . . . . . . . 6 and Reply . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7 4.2. INTERNAL_DNSSEC_TA Configuration Attribute . . . . . . . 7
5. Split DNS Usage Guidelines . . . . . . . . . . . . . . . . . 8 5. Split DNS Usage Guidelines . . . . . . . . . . . . . . . . . 8
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
8.1. Normative References . . . . . . . . . . . . . . . . . . 10 8.1. Normative References . . . . . . . . . . . . . . . . . . 11
8.2. Informative References . . . . . . . . . . . . . . . . . 11 8.2. Informative References . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
Split DNS is a common configuration for secure tunnels, such as Split DNS is a common configuration for secure tunnels, such as
Virtual Private Networks in which host machines private to an Virtual Private Networks in which host machines private to an
organization can only be resolved using internal DNS resolvers organization can only be resolved using internal DNS resolvers
[RFC2775]. In such configurations, it is often desirable to only [RFC2775]. In such configurations, it is often desirable to only
resolve hosts within a set of private domains using the tunnel, while resolve hosts within a set of private domains using the tunnel, while
letting resolutions for public hosts be handled by a device's default letting resolutions for public hosts be handled by a device's default
DNS configuration. DNS configuration.
The Internet Key Exchange protocol version 2 [RFC7296] negotiates The Internet Key Exchange protocol version 2 [RFC7296] negotiates
configuration parameters using Configuration Payload Attribute Types. configuration parameters using Configuration Payload Attribute Types.
This document defines two Configuration Payload Attribute Types that This document defines two Configuration Payload Attribute Types that
add support for trusted Split DNS domains. add support for trusted Split DNS domains.
The INTERNAL_DNS_DOMAIN attribute type is used to convey one or more The INTERNAL_DNS_DOMAIN attribute type is used to convey one or more
DNS domains that should be resolved only using the provided DNS DNS domains that SHOULD be resolved only using the provided DNS
nameserver IP addresses, causing these requests to use the IPsec nameserver IP addresses, causing these requests to use the IPsec
connection. connection.
The INTERNAL_DNSSEC_TA attribute type is used to convey DNSSEC trust The INTERNAL_DNSSEC_TA attribute type is used to convey DNSSEC trust
anchors for those domains. anchors for those domains.
When only a subset of traffic is routed into a private network using When only a subset of traffic is routed into a private network using
an IPsec SA, these Configuration Payload options can be used to an IPsec SA, these Configuration Payload options can be used to
define which private domains should be resolved through the IPsec define which private domains are intended to be resolved through the
connection without affecting the client's global DNS resolution. IPsec connection without affecting the client's global DNS
resolution.
For the purposes of this document, DNS resolution servers accessible For the purposes of this document, DNS resolution servers accessible
through an IPsec connection will be referred to as "internal DNS through an IPsec connection will be referred to as "internal DNS
servers", and other DNS servers will be referred to as "external DNS servers", and other DNS servers will be referred to as "external DNS
servers". servers".
A client using these configuration payloads will be able to request A client using these configuration payloads will be able to request
and receive Split DNS configurations using the INTERNAL_DNS_DOMAIN and receive Split DNS configurations using the INTERNAL_DNS_DOMAIN
and INTERNAL_DNSSEC_TA configuration attributes. The client device and INTERNAL_DNSSEC_TA configuration attributes. The client device
can use the internal DNS server(s) for any DNS queries within the can use the internal DNS server(s) for any DNS queries within the
assigned domains. DNS queries for other domains should be send to assigned domains. DNS queries for other domains SHOULD be sent to
regular external DNS server. the regular external DNS server.
1.1. Requirements Language 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
document are to be interpreted as described in RFC 2119 [RFC2119]. "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
captials, as shown here.
2. Background 2. Background
Split DNS is a common configuration for enterprise VPN deployments, Split DNS is a common configuration for enterprise VPN deployments,
in which only one or a few private DNS domains are accessible and in which only one or a few private DNS domains are accessible and
resolvable via an IPsec based VPN connection. resolvable via an IPsec based VPN connection.
Other tunnel-establishment protocols already support the assignment Other tunnel-establishment protocols already support the assignment
of Split DNS domains. For example, there are proprietary extensions of Split DNS domains. For example, there are proprietary extensions
to IKEv1 that allow a server to assign Split DNS domains to a client. to IKEv1 that allow a server to assign Split DNS domains to a client.
skipping to change at page 4, line 22 skipping to change at page 4, line 25
The INTERNAL_DNS_DOMAIN attribute sent by the initiator is usually The INTERNAL_DNS_DOMAIN attribute sent by the initiator is usually
empty but MAY contain a suggested domain name. empty but MAY contain a suggested domain name.
The absence of INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST The absence of INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST
payload indicates that the initiator does not support or is unwilling payload indicates that the initiator does not support or is unwilling
to accept Split DNS configuration. to accept Split DNS configuration.
To indicate support for DNSSEC, an initiator includes one or more To indicate support for DNSSEC, an initiator includes one or more
INTERNAL_DNSSEC_TA attributes as defined in Section 4 as part of the INTERNAL_DNSSEC_TA attributes as defined in Section 4 as part of the
CFG_REQUEST payload. If an INTERNAL_DNSSEC_TA attriute is included CFG_REQUEST payload. If an INTERNAL_DNSSEC_TA attribute is included
in the CFG_REQUEST, the initiator SHOULD also include one or more in the CFG_REQUEST, the initiator SHOULD also include one or more
INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST. INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST. If the initiator
includes an INTERNAL_DNSSEC_TA attribute, but does not inclue an
INTERNAL_DNS_DOMAIN attribute, the responder MAY still respond with
both INTERNAL_DNSSEC_TA and INTERNAL_DNS_DOMAIN attributes.
An initiator MAY convey its current DNSSEC trust anchors for the An initiator MAY convey its current DNSSEC trust anchors for the
domain specified in the INTERNAL_DNS_DOMAIN attribute. If it does domain specified in the INTERNAL_DNS_DOMAIN attribute. If it does
not wish to convey this information, it MUST use a length of 0. not wish to convey this information, it MUST use a length of 0.
The absence of INTERNAL_DNSSEC_TA attributes in the CFG_REQUEST The absence of INTERNAL_DNSSEC_TA attributes in the CFG_REQUEST
payload indicates that the initiator does not support or is unwilling payload indicates that the initiator does not support or is unwilling
to accept DNSSEC trust anchor configuration. to accept DNSSEC trust anchor configuration.
3.2. Configuration Reply 3.2. Configuration Reply
Responders MAY send one or more INTERNAL_DNS_DOMAIN attributes in Responders MAY send one or more INTERNAL_DNS_DOMAIN attributes in
their CFG_REPLY payload. If an INTERNAL_DNS_DOMAIN attribute is their CFG_REPLY payload. If an INTERNAL_DNS_DOMAIN attribute is
included in the CFG_REPLY, the responder MUST also include one or included in the CFG_REPLY, the responder MUST also include one or
both of the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the both of the INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes in the
CFG_REPLY. These DNS server configurations are necessary to define CFG_REPLY. These DNS server configurations are necessary to define
which servers should receive queries for hostnames in internal which servers can receive queries for hostnames in internal domains.
domains. If the CFG_REQUEST included an INTERNAL_DNS_DOMAIN If the CFG_REQUEST included an INTERNAL_DNS_DOMAIN attribute, but the
attribute, but the CFG_REPLY does not include an INTERNAL_DNS_DOMAIN CFG_REPLY does not include an INTERNAL_DNS_DOMAIN attribute, the
attribute, the initiator should behave as if Split DNS configurations initiator SHOULD behave as if Split DNS configurations are not
are not supported by the server. supported by the server.
Each INTERNAL_DNS_DOMAIN represents a domain that the DNS servers Each INTERNAL_DNS_DOMAIN represents a domain that the DNS servers
address listed in INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can resolve. address listed in INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can resolve.
If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non- If the CFG_REQUEST included INTERNAL_DNS_DOMAIN attributes with non-
zero lengths, the content MAY be ignored or be interpreted as a zero lengths, the content MAY be ignored or be interpreted as a
suggestion by the responder. suggestion by the responder.
For each DNS domain specified in an INTERNAL_DNS_DOMAIN attribute, For each DNS domain specified in an INTERNAL_DNS_DOMAIN attribute,
one or more INTERNAL_DNSSEC_TA attributes MAY be included by the one or more INTERNAL_DNSSEC_TA attributes MAY be included by the
skipping to change at page 5, line 28 skipping to change at page 5, line 35
single list of Split DNS domains that applies to the entire list of single list of Split DNS domains that applies to the entire list of
INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes. INTERNAL_IP4_DNS and INTERNAL_IP6_DNS attributes.
3.4. Example Exchanges 3.4. Example Exchanges
3.4.1. Simple Case 3.4.1. Simple Case
In this example exchange, the initiator requests INTERNAL_IP4_DNS and In this example exchange, the initiator requests INTERNAL_IP4_DNS and
INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST, but does not INTERNAL_DNS_DOMAIN attributes in the CFG_REQUEST, but does not
specify any value for either. This indicates that it supports Split specify any value for either. This indicates that it supports Split
DNS, but has no preference for which DNS requests should be routed DNS, but has no preference for which DNS requests will be routed
through the tunnel. through the tunnel.
The responder replies with two DNS server addresses, and two internal The responder replies with two DNS server addresses, and two internal
domains, "example.com" and "city.other.com". domains, "example.com" and "city.other.com".
Any subsequent DNS queries from the initiator for domains such as Any subsequent DNS queries from the initiator for domains such as
"www.example.com" should use 198.51.100.2 or 198.51.100.4 to resolve. "www.example.com" SHOULD use 198.51.100.2 or 198.51.100.4 to resolve.
CP(CFG_REQUEST) = CP(CFG_REQUEST) =
INTERNAL_IP4_ADDRESS() INTERNAL_IP4_ADDRESS()
INTERNAL_IP4_DNS() INTERNAL_IP4_DNS()
INTERNAL_DNS_DOMAIN() INTERNAL_DNS_DOMAIN()
CP(CFG_REPLY) = CP(CFG_REPLY) =
INTERNAL_IP4_ADDRESS(198.51.100.234) INTERNAL_IP4_ADDRESS(198.51.100.234)
INTERNAL_IP4_DNS(198.51.100.2) INTERNAL_IP4_DNS(198.51.100.2)
INTERNAL_IP4_DNS(198.51.100.4) INTERNAL_IP4_DNS(198.51.100.4)
INTERNAL_DNS_DOMAIN(example.com) INTERNAL_DNS_DOMAIN(example.com)
INTERNAL_DNS_DOMAIN(city.other.com) INTERNAL_DNS_DOMAIN(city.other.com)
3.4.2. Requesting Domains and DNSSEC trust anchors 3.4.2. Requesting Domains and DNSSEC trust anchors
In this example exchange, the initiator requests INTERNAL_IP4_DNS, In this example exchange, the initiator requests INTERNAL_IP4_DNS,
INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA attributess in the INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA attributes in the
CFG_REQUEST CFG_REQUEST.
Any subsequent DNS queries from the initiator for domains such as Any subsequent DNS queries from the initiator for domains such as
"www.example.com" or "city.other.com" would be DNSSEC validated using "www.example.com" or "city.other.com" would be DNSSEC validated using
the DNSSEC trust anchor received in the CFG_REPLY the DNSSEC trust anchor received in the CFG_REPLY.
In this example, the initiator has no existing DNSSEC trust anchors In this example, the initiator has no existing DNSSEC trust anchors
would the requested domain. the "example.com" dommain has DNSSEC would the requested domain. the "example.com" dommain has DNSSEC
trust anchors that are returned, while the "other.com" domain has no trust anchors that are returned, while the "other.com" domain has no
DNSSEC trust anchors DNSSEC trust anchors.
CP(CFG_REQUEST) = CP(CFG_REQUEST) =
INTERNAL_IP4_ADDRESS() INTERNAL_IP4_ADDRESS()
INTERNAL_IP4_DNS() INTERNAL_IP4_DNS()
INTERNAL_DNS_DOMAIN() INTERNAL_DNS_DOMAIN()
INTERNAL_DNSSEC_TA() INTERNAL_DNSSEC_TA()
CP(CFG_REPLY) = CP(CFG_REPLY) =
INTERNAL_IP4_ADDRESS(198.51.100.234) INTERNAL_IP4_ADDRESS(198.51.100.234)
INTERNAL_IP4_DNS(198.51.100.2) INTERNAL_IP4_DNS(198.51.100.2)
INTERNAL_IP4_DNS(198.51.100.4) INTERNAL_IP4_DNS(198.51.100.4)
INTERNAL_DNS_DOMAIN(example.com) INTERNAL_DNS_DOMAIN(example.com)
INTERNAL_DNSSEC_TA(43547,8,1,B6225AB2CC613E0DCA7962BDC2342EA4F1B56083) INTERNAL_DNSSEC_TA(43547,8,1,B6225AB2CC613E0DCA7962BDC2342EA4...)
INTERNAL_DNSSEC_TA(31406,8,2,F78CF3344F72137235098ECBBD08947C2C90....) INTERNAL_DNSSEC_TA(31406,8,2,F78CF3344F72137235098ECBBD08947C...)
INTERNAL_DNS_DOMAIN(city.other.com) INTERNAL_DNS_DOMAIN(city.other.com)
4. Payload Formats 4. Payload Formats
All multi-octet fields representing integers are laid out in big All multi-octet fields representing integers are laid out in big
endian order (also known as "most significant byte first", or endian order (also known as "most significant byte first", or
"network byte order"). "network byte order").
4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request and Reply 4.1. INTERNAL_DNS_DOMAIN Configuration Attribute Type Request and Reply
1 2 3 1 2 3
skipping to change at page 7, line 50 skipping to change at page 8, line 32
| | | |
~ Digest Data ~ ~ Digest Data ~
| | | |
+---------------------------------------------------------------+ +---------------------------------------------------------------+
o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296].
o Attribute Type (15 bits) set to value 26 for INTERNAL_DNSSEC_TA. o Attribute Type (15 bits) set to value 26 for INTERNAL_DNSSEC_TA.
o Length (0 or 2 octets) - Length of DNSSEC Trust Anchor data (4 o Length (0 or 2 octets) - Length of DNSSEC Trust Anchor data (4
octets plus the length of the Digest Data) octets plus the length of the Digest Data).
o DNSKEY Key Tag value (0 or 2 octets) - Delegation Signer (DS) Key o DNSKEY Key Tag value (0 or 2 octets) - Delegation Signer (DS) Key
Tag as specified in [RFC4034] Section 5.1 Tag as specified in [RFC4034] Section 5.1.
o DNSKEY Algorithm (0 or 1 octet) - DNSKEY algorithm value from the o DNSKEY Algorithm (0 or 1 octet) - DNSKEY algorithm value from the
IANA DNS Security Algorithm Numbers Registry IANA DNS Security Algorithm Numbers Registry.
o Digest Type (0 or 1 octet) - DS algorithm value from the IANA o Digest Type (0 or 1 octet) - DS algorithm value from the IANA
Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms
Registry Registry.
o Digest Data (0 or more octets) - The DNSKEY digest as specified in o Digest Data (0 or more octets) - The DNSKEY digest as specified in
[RFC4034] Section 5.1 in presentation format. [RFC4034] Section 5.1 in presentation format.
5. Split DNS Usage Guidelines 5. Split DNS Usage Guidelines
If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes,
the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS
servers as the default DNS server(s) for all queries. servers as the default DNS server(s) for all queries.
skipping to change at page 9, line 7 skipping to change at page 9, line 37
using some other external DNS resolver(s), configured independently using some other external DNS resolver(s), configured independently
from IKE. Queries for these other domains MAY be sent to the from IKE. Queries for these other domains MAY be sent to the
internal DNS resolver(s) listed in that CFG_REPLY message, but have internal DNS resolver(s) listed in that CFG_REPLY message, but have
no guarantee of being answered. For example, if the no guarantee of being answered. For example, if the
INTERNAL_DNS_DOMAIN attribute specifies "example.com", then INTERNAL_DNS_DOMAIN attribute specifies "example.com", then
"example.com", "www.example.com" and "mail.eng.example.com" MUST be "example.com", "www.example.com" and "mail.eng.example.com" MUST be
resolved using the internal DNS resolver(s), but "anotherexample.com" resolved using the internal DNS resolver(s), but "anotherexample.com"
and "ample.com" SHOULD NOT be resolved using the internal resolver and "ample.com" SHOULD NOT be resolved using the internal resolver
and SHOULD use the system's external DNS resolver(s). and SHOULD use the system's external DNS resolver(s).
When an IKE SA is terminated, the DNS forwarding must be When an IKE SA is terminated, the DNS forwarding MUST be
unconfigured. The DNS forwarding itself MUST be be deleted. All unconfigured. This includes deleting the DNS forwarding rules;
cached data of the INTERNAL_DNS_DOMAIN provided DNS domainis MUST be flushing all cached data for DNS domains provided by the
flushed. This includes negative cache entries. Obtained DNSSEC INTERNAL_DNS_DOMAIN attribute, including negative cache entries;
trust anchors MUST be removed from the list of trust anchors. The removing any obtained DNSSEC trust anchors from the list of trust
outstanding DNS request queue MUST be cleared. anchors; and clearing the outstanding DNS request queue.
INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA attributes SHOULD only be INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA attributes SHOULD only be
used on split tunnel configurations where only a subset of traffic is used on split tunnel configurations where only a subset of traffic is
routed into a private remote network using the IPsec connection. If routed into a private remote network using the IPsec connection. If
all traffic is routed over the IPsec connection, the existing global all traffic is routed over the IPsec connection, the existing global
INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can be used without creating INTERNAL_IP4_DNS and INTERNAL_IP6_DNS can be used without creating
specific DNS exemptions. specific DNS exemptions.
6. Security Considerations 6. Security Considerations
The use of Split DNS configurations assigned by an IKEv2 responder is The use of Split DNS configurations assigned by an IKEv2 responder is
predicated on the trust established during IKE SA authentication. predicated on the trust established during IKE SA authentication.
However, if IKEv2 is being negotiated with an anonymous or unknown However, if IKEv2 is being negotiated with an anonymous or unknown
endpoint (such as for Opportunistic Security [RFC7435]), the endpoint (such as for Opportunistic Security [RFC7435]), the
initiator MUST ignore Split DNS configurations assigned by the initiator MUST ignore Split DNS configurations assigned by the
responder. responder.
If a host connected to an authenticated IKE peer is connecting to If a host connected to an authenticated IKE peer is connecting to
another IKE peer that attempts to claim the same domain via the another IKE peer that attempts to claim the same domain via the
INTERNAL_DNS_DOMAIN attribute, the IKE connection should only process INTERNAL_DNS_DOMAIN attribute, the IKE connection SHOULD only process
the DNS information if the two connections are part of the same the DNS information if the two connections are part of the same
logical entity. Otherwise, the client should refuse the DNS logical entity. Otherwise, the client SHOULD refuse the DNS
information and potentially warn the enduser. information and potentially warn the end-user.
INTERNAL_DNSSEC_TA payloads MUST immediately follow an INTERNAL_DNSSEC_TA payloads MUST immediately follow an
INTERNAL_DNS_DOMAIN payload. As the INTERNAL_DNSSEC_TA format itself INTERNAL_DNS_DOMAIN payload. As the INTERNAL_DNSSEC_TA format itself
does not contain the domain name, it relies on the preceding does not contain the domain name, it relies on the preceding
INTERNAL_DNS_DOMAIN to provide the domain for which it specifies the INTERNAL_DNS_DOMAIN to provide the domain for which it specifies the
trust anchor. trust anchor.
If the initiator is using DNSSEC validation for a domain in its If the initiator is using DNSSEC validation for a domain in its
public DNS view, and it requests and receives an INTERNAL_DNS_DOMAIN public DNS view, and it requests and receives an INTERNAL_DNS_DOMAIN
attribute without an INTERNAL_DNSSEC_TA, it will need to reconfigure attribute without an INTERNAL_DNSSEC_TA, it will need to reconfigure
its DNS resolver to allow for an insecure delegation. It SHOULD NOT its DNS resolver to allow for an insecure delegation. It SHOULD NOT
accept insecure delegations for domains that are DNSSEC signed in the accept insecure delegations for domains that are DNSSEC signed in the
public DNS view, for which it has not explicitely requested such public DNS view, for which it has not explicitely requested such
deletation by specifying the domain specifically using a deletation by specifying the domain specifically using a
INTERNAL_DNS_DOMAIN(domain) request. INTERNAL_DNS_DOMAIN(domain) request.
A domain that is served via INTERNAL_DNS_DOMAIN should pay close Deployments that configure INTERNAL_DNS_DOMAIN domains should pay
attention to their use of indirect reference RRtypes such as CNAME, close attention to their use of indirect reference RRtypes such as
DNAME, MX or SRV records so that resolving works as intended when CNAME, DNAME, MX or SRV records so that resolving works as intended
all, some or none of the IPsec connections are established. when all, some, or none of the IPsec connections are established.
The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be
passed to another (DNS) program for processing. As with any network passed to another (DNS) program for processing. As with any network
input, the content should be considered untrusted and handled input, the content SHOULD be considered untrusted and handled
accordingly. accordingly.
7. IANA Considerations 7. IANA Considerations
This document defines two new IKEv2 Configuration Payload Attribute This document defines two new IKEv2 Configuration Payload Attribute
Types, which are allocated from the "IKEv2 Configuration Payload Types, which are allocated from the "IKEv2 Configuration Payload
Attribute Types" namespace. Attribute Types" namespace.
Multi- Multi-
Value Attribute Type Valued Length Reference Value Attribute Type Valued Length Reference
skipping to change at page 10, line 40 skipping to change at page 11, line 24
8.1. Normative References 8.1. Normative References
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.,
and E. Lear, "Address Allocation for Private Internets", and E. Lear, "Address Allocation for Private Internets",
BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996,
<https://www.rfc-editor.org/info/rfc1918>. <https://www.rfc-editor.org/info/rfc1918>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, <https://www.rfc- DOI 10.17487/RFC2119, March 1997,
editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions", Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, DOI 10.17487/RFC4034, March 2005, RFC 4034, DOI 10.17487/RFC4034, March 2005,
<https://www.rfc-editor.org/info/rfc4034>. <https://www.rfc-editor.org/info/rfc4034>.
[RFC5890] Klensin, J., "Internationalized Domain Names for [RFC5890] Klensin, J., "Internationalized Domain Names for
Applications (IDNA): Definitions and Document Framework", Applications (IDNA): Definitions and Document Framework",
RFC 5890, DOI 10.17487/RFC5890, August 2010, RFC 5890, DOI 10.17487/RFC5890, August 2010,
<https://www.rfc-editor.org/info/rfc5890>. <https://www.rfc-editor.org/info/rfc5890>.
[RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
Kivinen, "Internet Key Exchange Protocol Version 2 Kivinen, "Internet Key Exchange Protocol Version 2
(IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
2014, <https://www.rfc-editor.org/info/rfc7296>. 2014, <https://www.rfc-editor.org/info/rfc7296>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
8.2. Informative References 8.2. Informative References
[RFC2775] Carpenter, B., "Internet Transparency", RFC 2775, [RFC2775] Carpenter, B., "Internet Transparency", RFC 2775,
DOI 10.17487/RFC2775, February 2000, <https://www.rfc- DOI 10.17487/RFC2775, February 2000,
editor.org/info/rfc2775>. <https://www.rfc-editor.org/info/rfc2775>.
[RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection
Most of the Time", RFC 7435, DOI 10.17487/RFC7435, Most of the Time", RFC 7435, DOI 10.17487/RFC7435,
December 2014, <https://www.rfc-editor.org/info/rfc7435>. December 2014, <https://www.rfc-editor.org/info/rfc7435>.
Authors' Addresses Authors' Addresses
Tommy Pauly Tommy Pauly
Apple Inc. Apple Inc.
1 Infinite Loop One Apple Park Way
Cupertino, California 95014 Cupertino, California 95014
US US
Email: tpauly@apple.com Email: tpauly@apple.com
Paul Wouters Paul Wouters
Red Hat Red Hat
Email: pwouters@redhat.com Email: pwouters@redhat.com
 End of changes. 37 change blocks. 
71 lines changed or deleted 81 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/