Skip to main content

Split DNS Configuration for the Internet Key Exchange Protocol Version 2 (IKEv2)
RFC 8598

Approval announcement
Draft of message to be sent after approval:


From: The IESG <>
To: IETF-Announce <>
Cc: David Waltermire <>, The IESG <>,,,,,,
Subject: Protocol Action: 'Split DNS Configuration for IKEv2' to Proposed Standard (draft-ietf-ipsecme-split-dns-17.txt)

The IESG has approved the following document:
- 'Split DNS Configuration for IKEv2'
  (draft-ietf-ipsecme-split-dns-17.txt) as Proposed Standard

This document is the product of the IP Security Maintenance and Extensions
Working Group.

The IESG contact persons are Benjamin Kaduk and Eric Rescorla.

A URL of this Internet Draft is:

Ballot Text

Technical Summary

The IPsecME working group has obsoleted the IKEv1 protocol in favor of
the IKEv2 protocol many years ago. However, IKEv2 never had an option
to send one or more DNS domains from a Remote Access VPN server to the
VPN clients. IKEv1 did have that option via XAUTH/ModeCFG.

This document defines two Configuration Payload Attribute Types for
the IKEv2 protocol that add support for private DNS domains.  These
domains are intended to be resolved using DNS servers reachable
through an IPsec connection, while leaving all other DNS resolution
unchanged.  This approach of resolving a subset of domains using non-
public DNS servers is referred to as "Split DNS".

Working Group Summary

The draft had no controversy. The draft has been discussed frequently on
the mailing list and a lot of comments have been provided on list by
people other than the authors, to include implementors. In addition to
mailing list discussions, the draft has been presented and discussed
during the last 3 IETF (98, 99, 100) meetings. The draft has been
supported by the participants in the room on various hums for the
specific design decisions made in the document.
Document Quality\

The document is supported by implementors, and authors also represent a
subset of implementors. Interoperability of the DNS domain has been
confirmed by at least three independent implementations. DNSSEC TA
support has not seen an implementation or interoperability test, but
the format is sufficiently simple that no one is worried.

The Document Shepherd is David Waltermire. The responsible Area
Director is Eric Rescorla. 

RFC Editor Note