draft-ietf-ipsecme-split-dns-13.txt   draft-ietf-ipsecme-split-dns-14.txt 
Network T. Pauly Network T. Pauly
Internet-Draft Apple Inc. Internet-Draft Apple Inc.
Intended status: Standards Track P. Wouters Intended status: Standards Track P. Wouters
Expires: April 25, 2019 Red Hat Expires: May 7, 2019 Red Hat
October 22, 2018 November 3, 2018
Split DNS Configuration for IKEv2 Split DNS Configuration for IKEv2
draft-ietf-ipsecme-split-dns-13 draft-ietf-ipsecme-split-dns-14
Abstract Abstract
This document defines two Configuration Payload Attribute Types for This document defines two Configuration Payload Attribute Types for
the IKEv2 protocol that add support for private DNS domains. These the IKEv2 protocol that add support for private DNS domains. These
domains are intended to be resolved using DNS servers reachable domains are intended to be resolved using DNS servers reachable
through an IPsec connection, while leaving all other DNS resolution through an IPsec connection, while leaving all other DNS resolution
unchanged. This approach of resolving a subset of domains using non- unchanged. This approach of resolving a subset of domains using non-
public DNS servers is referred to as "Split DNS". public DNS servers is referred to as "Split DNS".
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 25, 2019. This Internet-Draft will expire on May 7, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 47 skipping to change at page 2, line 47
resolve hosts within a set of private domains using the tunnel, while resolve hosts within a set of private domains using the tunnel, while
letting resolutions for public hosts be handled by a device's default letting resolutions for public hosts be handled by a device's default
DNS configuration. DNS configuration.
The Internet Key Exchange protocol version 2 [RFC7296] negotiates The Internet Key Exchange protocol version 2 [RFC7296] negotiates
configuration parameters using Configuration Payload Attribute Types. configuration parameters using Configuration Payload Attribute Types.
This document defines two Configuration Payload Attribute Types that This document defines two Configuration Payload Attribute Types that
add support for trusted Split DNS domains. add support for trusted Split DNS domains.
The INTERNAL_DNS_DOMAIN attribute type is used to convey one or more The INTERNAL_DNS_DOMAIN attribute type is used to convey one or more
DNS domains that SHOULD be resolved only using the provided DNS DNS domains that MUST be resolved only using the provided DNS
nameserver IP addresses, causing these requests to use the IPsec nameserver IP addresses, causing these requests to use the IPsec
connection. connection.
The INTERNAL_DNSSEC_TA attribute type is used to convey DNSSEC trust The INTERNAL_DNSSEC_TA attribute type is used to convey DNSSEC trust
anchors for those domains. anchors for those domains.
When only a subset of traffic is routed into a private network using When only a subset of traffic is routed into a private network using
an IPsec SA, these Configuration Payload options can be used to an IPsec SA, these Configuration Payload options can be used to
define which private domains are intended to be resolved through the define which private domains are intended to be resolved through the
IPsec connection without affecting the client's global DNS IPsec connection without affecting the client's global DNS
 End of changes. 4 change blocks. 
5 lines changed or deleted 5 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/