--- 1/draft-ietf-ipsecme-split-dns-03.txt	2018-01-22 09:13:13.617022912 -0800
+++ 2/draft-ietf-ipsecme-split-dns-04.txt	2018-01-22 09:13:13.645023573 -0800
@@ -1,19 +1,19 @@
 
 Network                                                         T. Pauly
 Internet-Draft                                                Apple Inc.
 Intended status: Standards Track                              P. Wouters
-Expires: May 16, 2018                                            Red Hat
-                                                       November 12, 2017
+Expires: July 26, 2018                                           Red Hat
+                                                        January 22, 2018
 
                    Split DNS Configuration for IKEv2
-                    draft-ietf-ipsecme-split-dns-03
+                    draft-ietf-ipsecme-split-dns-04
 
 Abstract
 
    This document defines two Configuration Payload Attribute Types for
    the IKEv2 protocol that add support for private DNS domains.  These
    domains should be resolved using DNS servers reachable through an
    IPsec connection, while leaving all other DNS resolution unchanged.
    This approach of resolving a subset of domains using non-public DNS
    servers is referred to as "Split DNS".
 
@@ -25,25 +25,25 @@
    Internet-Drafts are working documents of the Internet Engineering
    Task Force (IETF).  Note that other groups may also distribute
    working documents as Internet-Drafts.  The list of current Internet-
    Drafts is at http://datatracker.ietf.org/drafts/current/.
 
    Internet-Drafts are draft documents valid for a maximum of six months
    and may be updated, replaced, or obsoleted by other documents at any
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on May 16, 2018.
+   This Internet-Draft will expire on July 26, 2018.
 
 Copyright Notice
 
-   Copyright (c) 2017 IETF Trust and the persons identified as the
+   Copyright (c) 2018 IETF Trust and the persons identified as the
    document authors.  All rights reserved.
 
    This document is subject to BCP 78 and the IETF Trust's Legal
    Provisions Relating to IETF Documents
    (http://trustee.ietf.org/license-info) in effect on the date of
    publication of this document.  Please review these documents
    carefully, as they describe your rights and restrictions with respect
    to this document.  Code Components extracted from this document must
    include Simplified BSD License text as described in Section 4.e of
    the Trust Legal Provisions and are provided without warranty as
@@ -59,21 +59,21 @@
      3.2.  Configuration Reply . . . . . . . . . . . . . . . . . . .   4
      3.3.  Mapping DNS Servers to Domains  . . . . . . . . . . . . .   5
      3.4.  Example Exchanges . . . . . . . . . . . . . . . . . . . .   5
        3.4.1.  Simple Case . . . . . . . . . . . . . . . . . . . . .   5
        3.4.2.  Requesting Domains and DNSSEC trust anchors . . . . .   6
    4.  Payload Formats . . . . . . . . . . . . . . . . . . . . . . .   6
      4.1.  INTERNAL_DNS_DOMAIN Configuration Attribute Type  . . . .   6
      4.2.  INTERNAL_DNSSEC_TA Configuration Attribute  . . . . . . .   7
    5.  Split DNS Usage Guidelines  . . . . . . . . . . . . . . . . .   7
    6.  Security Considerations . . . . . . . . . . . . . . . . . . .   9
-   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  10
+   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   9
    8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  10
      8.1.  Normative References  . . . . . . . . . . . . . . . . . .  10
      8.2.  Informative References  . . . . . . . . . . . . . . . . .  10
    Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  11
 
 1.  Introduction
 
    Split DNS is a common configuration for secure tunnels, such as
    Virtual Private Networks in which host machines private to an
    organization can only be resolved using internal DNS resolvers
@@ -355,25 +355,20 @@
    using some other external DNS resolver(s), configured independently
    from IKE.  Queries for these other domains MAY be sent to the
    internal DNS resolver(s) listed in that CFG_REPLY message, but have
    no guarantee of being answered.  For example, if the
    INTERNAL_DNS_DOMAIN attribute specifies "example.com", then
    "example.com", "www.example.com" and "mail.eng.example.com" MUST be
    resolved using the internal DNS resolver(s), but "anotherexample.com"
    and "ample.com" SHOULD NOT be resolved using the internal resolver
    and SHOULD use the system's external DNS resolver(s).
 
-   An initiator SHOULD ignore INTERNAL_DNS_DOMAIN attributes containing
-   domains that are designated Special Use Domain Names in [RFC6761],
-   such as "local", "localhost", "invalid", etc.  Although it may
-   explicitly wish to support some Special Use Domain Names.
-
    When an IKE SA is terminated, the DNS forwarding must be
    unconfigured.  The DNS forwarding itself MUST be be deleted.  All
    cached data of the INTERNAL_DNS_DOMAIN provided DNS domainis MUST be
    flushed.  This includes negative cache entries.  Obtained DNSSEC
    trust anchors MUST be removed from the list of trust anchors.  The
    outstanding DNS request queue MUST be cleared.
 
    INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA attributes SHOULD only be
    used on split tunnel configurations where only a subset of traffic is
    routed into a private remote network using the IPsec connection.  If
@@ -411,27 +406,23 @@
    public DNS view, for which it has not explicitely requested such
    deletation by specifying the domain specifically using a
    INTERNAL_DNS_DOMAIN(domain) request.
 
    A domain that is served via INTERNAL_DNS_DOMAIN should pay close
    attention to their use of indirect reference RRtypes such as CNAME,
    DNAME, MX or SRV records so that resolving works as intended when
    all, some or none of the IPsec connections are established.
 
    The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be
-   passed to another (DNS) program for processing.  The content MUST be
-   verified and sanitized before passing it to other software.  For
-   example, domain names are limited to alphanumeric characters and the
-   minus ("-") and underscore ("_") symbol and if other other characters
-   are present, the entire payload could be ignored and not passed to
-   DNS software, or the malicious characters could be filtered out
-   before passing the payload to DNS software.
+   passed to another (DNS) program for processing.  As with any network
+   input, the content should be considered untrusted and handled
+   accordingly.
 
 7.  IANA Considerations
 
    This document defines two new IKEv2 Configuration Payload Attribute
    Types, which are allocated from the "IKEv2 Configuration Payload
    Attribute Types" namespace.
 
                                     Multi-
    Value    Attribute Type       Valued  Length      Reference
    ------   -------------------  ------  ----------  ---------------
@@ -468,24 +459,20 @@
               Kivinen, "Internet Key Exchange Protocol Version 2
               (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
               2014, <https://www.rfc-editor.org/info/rfc7296>.
 
 8.2.  Informative References
 
    [RFC2775]  Carpenter, B., "Internet Transparency", RFC 2775,
               DOI 10.17487/RFC2775, February 2000, <https://www.rfc-
               editor.org/info/rfc2775>.
 
-   [RFC6761]  Cheshire, S. and M. Krochmal, "Special-Use Domain Names",
-              RFC 6761, DOI 10.17487/RFC6761, February 2013,
-              <https://www.rfc-editor.org/info/rfc6761>.
-
    [RFC7435]  Dukhovni, V., "Opportunistic Security: Some Protection
               Most of the Time", RFC 7435, DOI 10.17487/RFC7435,
               December 2014, <https://www.rfc-editor.org/info/rfc7435>.
 
 Authors' Addresses
 
    Tommy Pauly
    Apple Inc.
    1 Infinite Loop
    Cupertino, California  95014