| < draft-ietf-ipsecme-split-dns-04.txt | draft-ietf-ipsecme-split-dns-05.txt > | |||
|---|---|---|---|---|
| Network T. Pauly | Network T. Pauly | |||
| Internet-Draft Apple Inc. | Internet-Draft Apple Inc. | |||
| Intended status: Standards Track P. Wouters | Intended status: Standards Track P. Wouters | |||
| Expires: July 26, 2018 Red Hat | Expires: August 10, 2018 Red Hat | |||
| January 22, 2018 | February 6, 2018 | |||
| Split DNS Configuration for IKEv2 | Split DNS Configuration for IKEv2 | |||
| draft-ietf-ipsecme-split-dns-04 | draft-ietf-ipsecme-split-dns-05 | |||
| Abstract | Abstract | |||
| This document defines two Configuration Payload Attribute Types for | This document defines two Configuration Payload Attribute Types for | |||
| the IKEv2 protocol that add support for private DNS domains. These | the IKEv2 protocol that add support for private DNS domains. These | |||
| domains should be resolved using DNS servers reachable through an | domains should be resolved using DNS servers reachable through an | |||
| IPsec connection, while leaving all other DNS resolution unchanged. | IPsec connection, while leaving all other DNS resolution unchanged. | |||
| This approach of resolving a subset of domains using non-public DNS | This approach of resolving a subset of domains using non-public DNS | |||
| servers is referred to as "Split DNS". | servers is referred to as "Split DNS". | |||
| skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 36 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on July 26, 2018. | This Internet-Draft will expire on August 10, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 7, line 8 ¶ | skipping to change at page 7, line 8 ¶ | |||
| | | | | | | |||
| +---------------------------------------------------------------+ | +---------------------------------------------------------------+ | |||
| o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. | o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. | |||
| o Attribute Type (15 bits) 25 - INTERNAL_DNS_DOMAIN. | o Attribute Type (15 bits) 25 - INTERNAL_DNS_DOMAIN. | |||
| o Length (2 octets, unsigned integer) - Length of domain name. | o Length (2 octets, unsigned integer) - Length of domain name. | |||
| o Domain Name (0 or more octets) - A Fully Qualified Domain Name | o Domain Name (0 or more octets) - A Fully Qualified Domain Name | |||
| used for Split DNS rules, such as example.com, in DNS presentation | used for Split DNS rules, such as "example.com", in DNS | |||
| format and optionally using IDNA [RFC5890] for Internationalized | presentation format and optionally using IDNA [RFC5890] for | |||
| Domain Names. Implementors need to be careful that this value is | Internationalized Domain Names. Implementors need to be careful | |||
| not null-terminated. | that this value is not null-terminated. | |||
| 4.2. INTERNAL_DNSSEC_TA Configuration Attribute | 4.2. INTERNAL_DNSSEC_TA Configuration Attribute | |||
| 1 2 3 | 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-----------------------------+-------------------------------+ | +-+-----------------------------+-------------------------------+ | |||
| |R| Attribute Type | Length | | |R| Attribute Type | Length | | |||
| +-+-----------------------------+---------------+---------------+ | +-+-----------------------------+---------------+---------------+ | |||
| | Key Tag | Algorithm | Digest Type | | | DNSKEY Key Tag | DNSKEY Alg | Digest Type | | |||
| +-------------------------------+---------------+---------------+ | +-------------------------------+---------------+---------------+ | |||
| | | | | | | |||
| ~ Digest ~ | ~ Digest Data ~ | |||
| | | | | | | |||
| +---------------------------------------------------------------+ | +---------------------------------------------------------------+ | |||
| o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. | o Reserved (1 bit) - Defined in IKEv2 RFC [RFC7296]. | |||
| o Attribute Type (15 bits) [TBD IANA] - INTERNAL_DNSSEC_TA. | o Attribute Type (15 bits) [TBD IANA] - INTERNAL_DNSSEC_TA. | |||
| o Length (2 octets, unsigned integer) - Length of DNSSEC Trust | o Length (2 octets, unsigned integer) - Length of DNSSEC Trust | |||
| Anchor data. | Anchor data. | |||
| o Key Tag value (0 or 2 octets, unsigned integer) - Key Tag as | o DNSKEY Key Tag value (2 octets) - Delegation Signer (DS) Key Tag | |||
| specified in [RFC4034] Section 5.1 | as specified in [RFC4034] Section 5.1 | |||
| o Algorithm (0 or 1 octet) - DNSKEY algorithm value from the IANA | o DNSKEY Algorithm (1 octet) - DNSKEY algorithm value from the IANA | |||
| DNS Security Algorithm Numbers Registry | DNS Security Algorithm Numbers Registry | |||
| o DS algorithm (0 or 1 octet) - DS algorithm value from the IANA | o Digest Type (1 octet) - DS algorithm value from the IANA | |||
| Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms | Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms | |||
| Registry | Registry | |||
| o Digest (0 or more octets) - The DNSKEY digest as specified in | o Digest Data (2 or more octets) - The DNSKEY digest as specified in | |||
| [RFC4034] Section 5.1 in presentation format. | [RFC4034] Section 5.1 in presentation format. | |||
| 5. Split DNS Usage Guidelines | 5. Split DNS Usage Guidelines | |||
| If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, | If a CFG_REPLY payload contains no INTERNAL_DNS_DOMAIN attributes, | |||
| the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS | the client MAY use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS | |||
| servers as the default DNS server(s) for all queries. | servers as the default DNS server(s) for all queries. | |||
| If a client is configured by local policy to only accept a limited | If a client is configured by local policy to only accept a limited | |||
| number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any | number of INTERNAL_DNS_DOMAIN values, the client MUST ignore any | |||
| End of changes. 10 change blocks. | ||||
| 15 lines changed or deleted | 15 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||