[dns-operations] dns mud report, continued

Edward Lewis Ed.Lewis at neustar.biz
Wed Nov 28 16:06:48 UTC 2007

At 8:12 AM -0800 11/18/07, Roland Dobbins wrote:

>Irrespective of the use of RFC1918, I always advise end-sites to use
>split-horizon for nodes which aren't meant to be publicly accessible 
>simply to avoid leaking potentially useful information to an external 
>attacker.  But in my personal experience, I've found that the 
>overwhelming majority of sites which could benefit from split-horizon
>don't know what it is and therefore haven't implemented it.

Believe it or not, the IETF still hasn't documented what split DNS 
is. ("Split-horizon" is a bug in one class of route determination 
protocols.)  Maybe we can urge the IETF to get a document out on this 

A few years ago, someone put forth a document, I commented heavily on 
it, but it has gone no where.  That's why I haven't just written one 
myself.  (And why I'm being so obnoxious in this email.)



              suresh krishnaswamy: documents a way to config
	     split-DNS with DNSSEC. This document is not about
	     information hiding. split-views and DNSSEC may seem
	     mutually conflicting.

              keith moore: example doesn't show apps
              rob austein: were not here to debate split dns in
	     general, this is limited to DNSSEC applied to split
	     DNS given that split DNS will be used regardless
              ed lewis: split-view is essential, good to get it
              sam weiler: disagree with keith
              bill manning: advance it. the philosophical issues
	     are not a topic for this WG
              russ mundy: important to get modern documents on how
	     to get DNSSEC working in present environments

No, I don't hold grudges. ;)
Edward Lewis                                                +1-571-434-5468

Think glocally.  Act confused.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20071128/13c4eb32/attachment.html>

More information about the dns-operations mailing list