draft-krishnaswamy-dnsop-dnssec-split-view-02 Why?

1
draft-krishnaswamy-dnsop-dnssec-split-view-02Why
?

• Suresh Krishnaswamy
• SPARTA, Inc.

2
Why do people use split-views?

• Because of Firewalls and NATs (Need to access
  resources from outside when inside consists
  of RFC 1918 addresses)
• For network management reasons (confining names
  to regions)
• For name transparency within applications that
  run over VPNs
• Because of the (somewhat false) notion that
  hiding internal names provides more security to
  the hosts identified by those names
• Probably many more reasons

3
Is split-views good idea?

• Maybe
• Depends on what you want to use it for
• Bottom line is that it is a fact of life
• We likely cannot stop the use of it

4
Why should this WG care about split-views?

• With split-views, different (legitimate) answers
  are possible for the same question - this
  feature can be seen as conflicting with the
  goals of DNSSEC
• Conflicting goals can still be reconciled by
  proper channeling of queries and selection of
  trust-anchors
• You can get this wrong very easily if youre not
  careful.

5
Whats in this draft?

• Describes different ways of configuring
  split-views based on different trade-offs
• Important technical piece that covers a common
  operating scenario

6
To Sum

• Operators are using split-views
• This use will likely not stop
• We want to get DNSSEC deployed
• We need to offer solutions to enable split-views
  and DNSSEC