Split DNS Configuration for the Internet Key Exchange Protocol Version 2 (IKEv2)
Draft of message to be sent after approval:
From: The IESG <firstname.lastname@example.org> To: IETF-Announce <email@example.com> Cc: David Waltermire <firstname.lastname@example.org>, The IESG <email@example.com>, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com Subject: Protocol Action: 'Split DNS Configuration for IKEv2' to Proposed Standard (draft-ietf-ipsecme-split-dns-17.txt) The IESG has approved the following document: - 'Split DNS Configuration for IKEv2' (draft-ietf-ipsecme-split-dns-17.txt) as Proposed Standard This document is the product of the IP Security Maintenance and Extensions Working Group. The IESG contact persons are Benjamin Kaduk and Eric Rescorla. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-ipsecme-split-dns/
Technical Summary The IPsecME working group has obsoleted the IKEv1 protocol in favor of the IKEv2 protocol many years ago. However, IKEv2 never had an option to send one or more DNS domains from a Remote Access VPN server to the VPN clients. IKEv1 did have that option via XAUTH/ModeCFG. This document defines two Configuration Payload Attribute Types for the IKEv2 protocol that add support for private DNS domains. These domains are intended to be resolved using DNS servers reachable through an IPsec connection, while leaving all other DNS resolution unchanged. This approach of resolving a subset of domains using non- public DNS servers is referred to as "Split DNS". Working Group Summary The draft had no controversy. The draft has been discussed frequently on the mailing list and a lot of comments have been provided on list by people other than the authors, to include implementors. In addition to mailing list discussions, the draft has been presented and discussed during the last 3 IETF (98, 99, 100) meetings. The draft has been supported by the participants in the room on various hums for the specific design decisions made in the document. Document Quality\ The document is supported by implementors, and authors also represent a subset of implementors. Interoperability of the DNS domain has been confirmed by at least three independent implementations. DNSSEC TA support has not seen an implementation or interoperability test, but the format is sufficiently simple that no one is worried. Personnel The Document Shepherd is David Waltermire. The responsible Area Director is Eric Rescorla.