Re: [dane] [Technical Errata Reported] RFC7672 (5395)

Benjamin Kaduk <kaduk@mit.edu> Sat, 16 June 2018 23:29 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A78013110C for <dane@ietfa.amsl.com>; Sat, 16 Jun 2018 16:29:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Si_6GyzE5RSs for <dane@ietfa.amsl.com>; Sat, 16 Jun 2018 16:29:27 -0700 (PDT)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3311130DF1 for <dane@ietf.org>; Sat, 16 Jun 2018 16:29:27 -0700 (PDT)
X-AuditID: 12074422-7edff700000046dc-67-5b259d56be98
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 9B.6F.18140.65D952B5; Sat, 16 Jun 2018 19:29:26 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id w5GNTO9B008978; Sat, 16 Jun 2018 19:29:25 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w5GNTGcP010660 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 16 Jun 2018 19:29:19 -0400
Date: Sat, 16 Jun 2018 18:29:16 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, ietf-dane@dukhovni.org, ietf@hardakers.net, ekr@rtfm.com, ogud@ogud.com, warren@kumari.net, matt@mattmccutchen.net, dane@ietf.org
Message-ID: <20180616232916.GB64971@kduck.kaduk.org>
References: <20180616142946.51588B810A8@rfc-editor.org> <FB36F471-DFF2-4302-892B-0FDC11DFCA9E@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <FB36F471-DFF2-4302-892B-0FDC11DFCA9E@vpnc.org>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrIKsWRmVeSWpSXmKPExsUixG6nrhs2VzXa4M59FYs9xyeyWqx4fY7d YuK9DWwWOx8uZLfo2NHEavG9bTmTxa31X1gtmvZ/ZbM4fOwykwOnx/YjC9k9bq+ZyuKxZMlP Jo/bN/6we0zs38HoMeHUbhaPhrZjrB6TH7cxe3yefZU5gDOKyyYlNSezLLVI3y6BK2PKyuvM BYdkKtrvTWRtYHwr2sXIySEhYCLRe3clexcjF4eQwGImiQsPb7GCJIQENjJKrJifAZG4yiSx sreFGSTBIqAq8WDhfDCbTUBFoqH7MpgtIqAB1LwDbBKzwDFGiXdtZ9lBEsICdhLLlq4Bm8oL tO72/pPMEBsyJU4t284GEReUODnzCQuIzSygJXHj30umLkYOIFtaYvk/DpAwp4CNxK65l8DG iAooS+ztO8Q+gVFgFpLuWUi6ZyF0L2BkXsUom5JbpZubmJlTnJqsW5ycmJeXWqRrqpebWaKX mlK6iREcMy5KOxgn/vM6xCjAwajEw6sRrhotxJpYVlyZe4hRkoNJSZT3e4tKtBBfUn5KZUZi cUZ8UWlOavEhRgkOZiUR3uYsoHLelMTKqtSifJiUNAeLkjhv7iLGaCGB9MSS1OzU1ILUIpis DAeHkgRv/hygRsGi1PTUirTMnBKENBMHJ8hwHqDh8iA1vMUFibnFmekQ+VOMilLivHUgCQGQ REZpHlwvKKVJZO+vecUoDvSKMO+d2UBVPMB0CNf9CmgwE9Dg/QtVQAaXJCKkpBoYeXfxH/vL UZ6+au6DCwaPj00xKXzw7KLNMyXR0t6yhSqdIgwM/g59DQ/Ora9j+O1i48d7Zeuy7I26u5Kf nj7CtXsiS9/CSxc+N0ZbipyXktZ+8u7Dg3q/04fU62pfhpozv/vgJWOc12ASueS4WP8d8zON shPlf8ws8lY5z250lrGDTzxhTdR9JZbijERDLeai4kQA4u1ITUQDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/T2YM-P4oO37kIMZHqzBZVatFIaM>
Subject: Re: [dane] [Technical Errata Reported] RFC7672 (5395)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Jun 2018 23:29:30 -0000

On Sat, Jun 16, 2018 at 04:10:28PM -0700, Paul Hoffman wrote:
> This erratum should be rejected. RFC 4035 defines "indeterminate" in 
> Section 4.4.3. RFC 4035 and RFC 4033 define "indeterminate" differently.

This statement is in the context of resolving the discrepancy; the
full context is:

   A DNS lookup may signal an error or return a definitive answer.  A
   security-aware resolver MUST be used for this specification.
   Security-aware resolvers will indicate the security status of a DNS
   RRset with one of four possible values defined in Section 4.3 of
   [RFC4035]: "secure", "insecure", "bogus", and "indeterminate".  In
   [RFC4035], the meaning of the "indeterminate" security status is:

      An RRset for which the resolver is not able to determine whether
      the RRset should be signed, as the resolver is not able to obtain
      the necessary DNSSEC RRs.  This can occur when the security-aware
      resolver is not able to contact security-aware name servers for
      the relevant zones.

   Note that the "indeterminate" security status has a conflicting
   definition in Section 5 of [RFC4033]:

      There is no trust anchor that would indicate that a specific
      portion of the tree is secure.

   In this document, the term "indeterminate" will be used exclusively
   in the [RFC4035] sense.  Therefore, obtaining "indeterminate" lookup
   results is a (transient) failure condition, namely, the inability to
   locate the relevant DNS records.  DNS records that would be
   classified "indeterminate" in the sense of [RFC4035] are simply
   classified as "insecure".

It's clear that the last statement is intended to contrast the two
senses, so the 4033 reference is correct.

-Benjamin




> --Paul Hoffman
> 
> On 16 Jun 2018, at 7:29, RFC Errata System wrote:
> 
> > The following errata report has been submitted for RFC7672,
> > "SMTP Security via Opportunistic DNS-Based Authentication of Named 
> > Entities (DANE) Transport Layer Security (TLS)".
> >
> > --------------------------------------
> > You may review the report below and at:
> > http://www.rfc-editor.org/errata/eid5395
> >
> > --------------------------------------
> > Type: Technical
> > Reported by: Matt McCutchen <matt@mattmccutchen.net>
> >
> > Section: 2.1.1
> >
> > Original Text
> > -------------
> >    DNS records that would be
> >    classified "indeterminate" in the sense of [RFC4035] are simply
> >    classified as "insecure".
> >
> > Corrected Text
> > --------------
> >    DNS records that would be
> >    classified "indeterminate" in the sense of [RFC4033] are simply
> >    classified as "insecure".
> >
> > Notes
> > -----
> >
> >
> > Instructions:
> > -------------
> > This erratum is currently posted as "Reported". If necessary, please
> > use "Reply All" to discuss whether it should be verified or
> > rejected. When a decision is reached, the verifying party
> > can log in to change the status and edit the report, if necessary.
> >
> > --------------------------------------
> > RFC7672 (draft-ietf-dane-smtp-with-dane-19)
> > --------------------------------------
> > Title               : SMTP Security via Opportunistic DNS-Based 
> > Authentication of Named Entities (DANE) Transport Layer Security (TLS)
> > Publication Date    : October 2015
> > Author(s)           : V. Dukhovni, W. Hardaker
> > Category            : PROPOSED STANDARD
> > Source              : DNS-based Authentication of Named Entities
> > Area                : Security
> > Stream              : IETF
> > Verifying Party     : IESG