| draft-ietf-ipsecme-split-dns-13.txt | draft-ietf-ipsecme-split-dns-14.txt | |||
|---|---|---|---|---|
| Network T. Pauly | Network T. Pauly | |||
| Internet-Draft Apple Inc. | Internet-Draft Apple Inc. | |||
| Intended status: Standards Track P. Wouters | Intended status: Standards Track P. Wouters | |||
| Expires: April 25, 2019 Red Hat | Expires: May 7, 2019 Red Hat | |||
| October 22, 2018 | November 3, 2018 | |||
| Split DNS Configuration for IKEv2 | Split DNS Configuration for IKEv2 | |||
| draft-ietf-ipsecme-split-dns-13 | draft-ietf-ipsecme-split-dns-14 | |||
| Abstract | Abstract | |||
| This document defines two Configuration Payload Attribute Types for | This document defines two Configuration Payload Attribute Types for | |||
| the IKEv2 protocol that add support for private DNS domains. These | the IKEv2 protocol that add support for private DNS domains. These | |||
| domains are intended to be resolved using DNS servers reachable | domains are intended to be resolved using DNS servers reachable | |||
| through an IPsec connection, while leaving all other DNS resolution | through an IPsec connection, while leaving all other DNS resolution | |||
| unchanged. This approach of resolving a subset of domains using non- | unchanged. This approach of resolving a subset of domains using non- | |||
| public DNS servers is referred to as "Split DNS". | public DNS servers is referred to as "Split DNS". | |||
| skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 36 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 25, 2019. | This Internet-Draft will expire on May 7, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 47 ¶ | skipping to change at page 2, line 47 ¶ | |||
| resolve hosts within a set of private domains using the tunnel, while | resolve hosts within a set of private domains using the tunnel, while | |||
| letting resolutions for public hosts be handled by a device's default | letting resolutions for public hosts be handled by a device's default | |||
| DNS configuration. | DNS configuration. | |||
| The Internet Key Exchange protocol version 2 [RFC7296] negotiates | The Internet Key Exchange protocol version 2 [RFC7296] negotiates | |||
| configuration parameters using Configuration Payload Attribute Types. | configuration parameters using Configuration Payload Attribute Types. | |||
| This document defines two Configuration Payload Attribute Types that | This document defines two Configuration Payload Attribute Types that | |||
| add support for trusted Split DNS domains. | add support for trusted Split DNS domains. | |||
| The INTERNAL_DNS_DOMAIN attribute type is used to convey one or more | The INTERNAL_DNS_DOMAIN attribute type is used to convey one or more | |||
| DNS domains that SHOULD be resolved only using the provided DNS | DNS domains that MUST be resolved only using the provided DNS | |||
| nameserver IP addresses, causing these requests to use the IPsec | nameserver IP addresses, causing these requests to use the IPsec | |||
| connection. | connection. | |||
| The INTERNAL_DNSSEC_TA attribute type is used to convey DNSSEC trust | The INTERNAL_DNSSEC_TA attribute type is used to convey DNSSEC trust | |||
| anchors for those domains. | anchors for those domains. | |||
| When only a subset of traffic is routed into a private network using | When only a subset of traffic is routed into a private network using | |||
| an IPsec SA, these Configuration Payload options can be used to | an IPsec SA, these Configuration Payload options can be used to | |||
| define which private domains are intended to be resolved through the | define which private domains are intended to be resolved through the | |||
| IPsec connection without affecting the client's global DNS | IPsec connection without affecting the client's global DNS | |||
| End of changes. 4 change blocks. | ||||
| 5 lines changed or deleted | 5 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||