Red Hat Bugzilla – Bug 1300763
Implement draft-pauly-ipsecme-split-dns-00 for libreswan
Last modified: 2017-09-11 07:42:00 EDT
Description of problem:
Improved support for DNS configuration in IKEv2 which also supports DNSSEC.
Here is a better description from the latest draft:
This document defines two Configuration Payload Attribute Types for
the IKEv2 protocol that define sets of private DNS domains which
should be resolved by DNS servers reachable through an IPsec
connection, while leaving all other DNS resolution unchanged. The
options define the set of DNS domains, DNS nameserver IP addresses
and DNSSEC trust anchors to use for these DNS domains. This approach
of resolving a subset of domains using an IPSec connection is
referred to as "split-DNS". The information obtained via these
attribute types can be used to reconfigure the local DNS resolution
to use DNS forwarding for specific private domains.