<!doctype html public "-//W3C//DTD W3 HTML//EN">
<html><head><style type="text/css"><!--
blockquote, dl, ul, ol, li { padding-top: 0 ; padding-bottom: 0 }
--></style><title>Re: [dns-operations] dns mud report,
continued</title></head><body>
<div>At 8:12 AM -0800 11/18/07, Roland Dobbins wrote:</div>
<div><br></div>
<div>>Irrespective of the use of RFC1918, I always advise end-sites
to use </div>
<div>>split-horizon for nodes which aren't meant to be publicly
accessible <br>
>simply to avoid leaking potentially useful information to an
external <br>
>attacker. But in my personal experience, I've found that
the <br>
>overwhelming majority of sites which could benefit from
split-horizon </div>
<div>>don't know what it is and therefore haven't implemented
it.</div>
<div><br></div>
<div>Believe it or not, the IETF still hasn't documented what split
DNS is. ("Split-horizon" is a bug in one class of route
determination protocols.) Maybe we can urge the IETF to get a
document out on this topic.</div>
<div><br></div>
<div>A few years ago, someone put forth a document, I commented
heavily on it, but it has gone no where. That's why I haven't
just written one myself. (And why I'm being so obnoxious in this
email.)</div>
<div><br></div>
<div>http://www1.ietf.org/mail-archive/web/dnsop/current/msg03566.html</div
>
<div><br></div>
<div>
draft-krishnaswamy-dnsop-split-view...<br>
<br>
suresh krishnaswamy: documents a way to config<br>
<x-tab> </x-tab>
split-DNS with DNSSEC. This document is not about<br>
<x-tab> </x-tab> information hiding.
split-views and DNSSEC may seem<br>
<x-tab>
</x-tab> mutually conflicting.<br>
<br>
keith moore: example doesn't show apps<br>
rob austein: were not here to debate split dns in<br>
<x-tab> </x-tab>
general, this is limited to DNSSEC applied to split<br>
<x-tab>
</x-tab> DNS given that split DNS will be used
regardless<br>
ed lewis: split-view is essential, good to get it<br>
<x-tab> </x-tab>
documented<br>
sam weiler: disagree with keith<br>
bill manning: advance it. the philosophical issues<br>
<x-tab> </x-tab>
are not a topic for this WG<br>
russ mundy: important to get modern documents on how<br>
<x-tab>
</x-tab> to get DNSSEC working in present
environments<br>
</div>
<div>No, I don't hold grudges. ;)</div>
<x-sigsep><pre>--
</pre></x-sigsep>
<div
>-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=<span
></span>-=-=-=-<br>
Edward
Lewis <span
></span
> <span
></span
> <span
></span
> <span
></span> +1-571-434-5468<br>
NeuStar</div>
<div><br></div>
<div>Think glocally. Act confused.</div>
</body>
</html>