I support adoption of this work. The mechanism of specifying the authentication domain name and service parameters is sound, and the right direction.
I do agree with Paul Wouter’s comments, and I think the parts of the document that deal with requirements for config requests need work. Ideally, this doesn’t need to update split-DNS, but instead just reference the fact that the encrypted resolvers MUST always be preferred when present. The text also needs to be careful about not over-mandating behavior. For example, the text currently says the following: If the IPsec connection is a split-tunnel configuration and the initiator negotiated INTERNAL_DNS_DOMAIN as per [ RFC8598 ], the DNS client MUST resolve the internal names using ENCDNS_IP* DNS servers. RFC 8598 has a bit more leeway, explaining that there may be some domains that are prohibited by local policy from being claimed by the IKE tunnel. This needs to be maintained. For each INTERNAL_DNS_DOMAIN entry in a CFG_REPLY payload that is not prohibited by local policy, the client MUST use the provided INTERNAL_IP4_DNS or INTERNAL_IP6_DNS DNS servers as the only resolvers for the listed domains and its subdomains, and it MUST NOT attempt to resolve the provided DNS domains using its external DNS servers. Best, Tommy > On Nov 8, 2021, at 6:17 AM, Tero Kivinen <kivi...@iki.fi> wrote: > > This is the start of 2 week WG adoption call for this document, ending > 2021-11-22. Please send your reply about whether you support adopting > this document as WG document or not. > -- > kivi...@iki.fi > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
