Re: [dnsext] Asking for review on this errata by DNSSEC experts Re: [Errata Verified] RFC4035 (5226)
"Rose, Scott W. (Fed)" <scott.rose@nist.gov> Mon, 07 August 2023 13:27 UTC
Return-Path: <scott.rose@nist.gov>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53886C1524A3; Mon, 7 Aug 2023 06:27:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.109
X-Spam-Level:
X-Spam-Status: No, score=-3.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.999, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mw7YZh0WpG6O; Mon, 7 Aug 2023 06:27:24 -0700 (PDT)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02on2115.outbound.protection.outlook.com [40.107.91.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08D89C1524AA; Mon, 7 Aug 2023 06:27:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ci3Vet7I3I2SSEJTSDYRDW/nN9u5e5egjADmld6RBWhqc3/3wNvIWfv6KKMknOU9YCrbUSIgyRIqCcCF/3QFTohc91lqdCGHQPKahLV0iBe+giU5nuVJo2FmQF7lcRuQmvXTehomgi+rlCTeIYCTcSSz8aQpY9zX83MoHyzA4xOvodhBAFxYeObsbDershWkEhexKSp7uNzPZEKciNu5fE0arKLrBk1Egv+T6qJAn80ppD5+0AFJUGQh7e0UeV9W2CD9KEaPQqEalBydyQwkwcJzSHVtLZNzkQZA7GNTAyPIo0y8W8pLkEqh0icO4fdizx821zyyyCYJI1dgFZsTqA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=naSVaaqNeAyVfVuQ3lzU7QDLWHdhU2ptsGg41MA4+Y8=; b=XAHMLWJE1Dm2CmwB5CZ/S5CFMi9YA6fLm8a1AfZmWlsjp15P4X3UxBYju1ihpg1uyuAapznUrVSAi5H+D0NOjKySN8jEp5XX1kZjSx389O82JWtYg0xbEy4xbUyWFWmHd2DmEVH/gB5ZrHbuiaIwtm1ljkuL63vuGVtfsxhT5c7wvp7sJY02RhevA8iuBRoN3ej+uslCEMEQUU+MPedw/fwbHPkUy3v0p02N8b1RmqdaJWc12b30iPySj1cDjojVQV5OPoWxEnrT33MEl5Z8ITV95pTTgoZO0IA5mfzgUEa6VmzxDWbq9pHokKT2J8CR8LgdlC1+oPhDguKjsELmNg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 129.6.16.77) smtp.rcpttodomain=ietf.org smtp.mailfrom=nist.gov; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nist.gov; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=naSVaaqNeAyVfVuQ3lzU7QDLWHdhU2ptsGg41MA4+Y8=; b=XUuJvCTGWAE0bhBVBGD9j40Bj47D/UjLJw6B9pAumZZaIbEVooswJGDXsiHggl5oqdFSM3/bDGj53u4KNX3ZKCal5yccqB+C1fS6EJNqwStWxpFjM1EWjh0sBy2CLH3+EQjQg466nCAddfFev6My1VeIVuENeUGd3DCSVDZHu3B74zU5mZB25yyG7cf1R9hje7IJlr0nbjNsqDHumCfMT5PGBcbAvYdlQ+gM4Oe1wiBpeoUVkwzLEtn1+AaW9X1qvJhhXsKfGX40WlrOSoAPGoNyLD28RMl2VurwWHIhvf1uV5Ef8msCh7G3m1YZt4qwJyA8e6PG8jlNI4z90kx6MQ==
Received: from DM6PR09CA0022.namprd09.prod.outlook.com (2603:10b6:5:160::35) by BLAPR09MB7202.namprd09.prod.outlook.com (2603:10b6:208:2ab::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6652.27; Mon, 7 Aug 2023 13:27:19 +0000
Received: from DM3GCC02FT003.eop-gcc02.prod.protection.outlook.com (2a01:111:f400:7d04::201) by DM6PR09CA0022.outlook.office365.com (2603:10b6:5:160::35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6652.27 via Frontend Transport; Mon, 7 Aug 2023 13:27:19 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 129.6.16.77) smtp.mailfrom=nist.gov; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nist.gov;
Received-SPF: Pass (protection.outlook.com: domain of nist.gov designates 129.6.16.77 as permitted sender) receiver=protection.outlook.com; client-ip=129.6.16.77; helo=smtp2.nist.gov; pr=C
Received: from smtp2.nist.gov (129.6.16.77) by DM3GCC02FT003.mail.protection.outlook.com (10.97.8.75) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6678.16 via Frontend Transport; Mon, 7 Aug 2023 13:27:19 +0000
Received: from [129.6.223.137] ([129.6.223.137]) by smtp2.nist.gov with Microsoft SMTPSVC(10.0.14393.4169); Mon, 7 Aug 2023 09:27:19 -0400
From: "Rose, Scott W. (Fed)" <scott.rose@nist.gov>
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
Cc: Mark Andrews <marka@isc.org>, RFC Errata System <rfc-editor@rfc-editor.org>, dnsdir@ietf.org, peter.van.dijk@powerdns.com, roy.arends@telin.nl, sra@isc.org, mlarson@verisign.com, massey@cs.colostate.edu, dnsext@ietf.org
Date: Mon, 07 Aug 2023 09:27:18 -0400
X-Mailer: MailMate (1.14r5937)
Message-ID: <9F687CA9-1BA2-4B31-8B6F-ACF0DDBB3460@nist.gov>
In-Reply-To: <1B5D0B11-9930-4D7B-ABC5-0AEDA3A4553F@cisco.com>
References: <1B5D0B11-9930-4D7B-ABC5-0AEDA3A4553F@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-OriginalArrivalTime: 07 Aug 2023 13:27:19.0273 (UTC) FILETIME=[E3DEFD90:01D9C932]
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DM3GCC02FT003:EE_|BLAPR09MB7202:EE_
X-MS-Office365-Filtering-Correlation-Id: 839163c9-312a-4489-80d0-08db974a0691
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: S7F6gkYuEZoc8izvvWJGVvLJ86KFqadLG//gCa11Caqmx8VI4cBNdlyS5E6TaROJH7i4NapgqlENiqOQzdtmGVoLeRQP+/xySU09ByhcgXH9E6XZ15eHkOvOgPJgBQmvdiMxEzPSWi4KOUvY14LeCdXOt4t4fdn0xs+j2nc2K6eCzjyJs6vnbOdIfOUHs0Ac3zxhumP7cj4VE1a/W4d3TpW4IQ19AGHeADzTTMYue6m9WWG84fy2Fcqb4+KG2TL1M5ZvqoCI6/G9UvfBAErsV3tFUmAaOV0GiQ96gndbICs5xuZY9aHP27tEtkKIVxvrIBGA7AJZpOqvuh1sCBmGXxaTXC+qIVmNC07qStk88SAuxT14OGRUtxyxrO+O3blQq4YFvjWNYBSXDKSZpJjeN/++QJ5pAG8AcXYzeuxSB2ti+yH8Yl7mR+bigrwigDcizv+uFTCxZZOomya33qyV3s9SkjCPqlka0lO208nl9CqlznKLzkMwHKsmRqLieY9kFI0RjlT7d0/03KD4zLhUoUShX2Exxn7IsKZJsIIeyEtmBIyTtpJYqQ1SGARW/k5mP6oEnhBqDecU87W1Fttr3YJLH9w1Irp44MwFlnYddaXWmCcucxbbjS83opkpPdB82p4D58pB8cKagGZuZXM3O9IEtOsr1XBlj/XhyrX831djxWmumktHU/iKhXYAOpkBTVPVQLPYYGP20xjKdKs8Lw==
X-Forefront-Antispam-Report: CIP:129.6.16.77; CTRY:US; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:smtp2.nist.gov; PTR:smtp2.nist.gov; CAT:NONE; SFS:(13230028)(4636009)(451199021)(1800799003)(82310400008)(186006)(40470700004)(36840700001)(46966006)(40460700003)(956004)(2616005)(40140700001)(7596003)(966005)(33656002)(86362001)(82960400001)(508600001)(45080400002)(7636003)(26005)(356005)(36756003)(53546011)(15650500001)(316002)(5660300002)(8936002)(8676002)(6862004)(54906003)(4326008)(6706004)(2906002)(450100002)(70206006)(336012)(47076005)(83380400001)(36860700001)(426003)(66574015)(66899021); DIR:OUT; SFP:1102;
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Aug 2023 13:27:19.6005 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 839163c9-312a-4489-80d0-08db974a0691
X-MS-Exchange-CrossTenant-Id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=2ab5d82f-d8fa-4797-a93e-054655c61dec; Ip=[129.6.16.77]; Helo=[smtp2.nist.gov]
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: TreatMessagesAsInternal-DM3GCC02FT003.eop-gcc02.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR09MB7202
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/1MbysZRL3602EksYWuTufaTvvus>
X-Mailman-Approved-At: Mon, 07 Aug 2023 11:03:23 -0700
Subject: Re: [dnsext] Asking for review on this errata by DNSSEC experts Re: [Errata Verified] RFC4035 (5226)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Aug 2023 13:27:28 -0000
Éric, I also agree with Mark (and Rob). Section 4.2 states how resolvers should use NS queries to find the parent zone. That would work in the example given in the errata report: queries for “B.A IN NS” would return the B.A server, which would have the DS RRset for C.B.A. Unless there is some corner case where this doesn’t work? Or the implemented behavior is actually different. Scott On 5 Aug 2023, at 3:11, Eric Vyncke (evyncke) wrote: > Mark, thanks for your review. Happy to correct the errata after verification. > > What is the view of the DNS directorate members on this errata (see below or at https://www.rfc-editor.org/errata/eid5226) ? I.e., I would appreciate a quick look by several DNS directorate members + original authors. > > Thanks, in advance. > > -éric > > > On 05/08/2023, 03:46, "Mark Andrews" <marka@isc.org <mailto:marka@isc.org>> wrote: > > > This is incorrect. DNSSEC aware resolvers make NS queries to determine the parent nameservers. Non DNSSEC resolvers accept the response from the child zone. > > > -- > Mark Andrews > > >> On 5 Aug 2023, at 01:52, RFC Errata System <rfc-editor@rfc-editor.org <mailto:rfc-editor@rfc-editor.org>> wrote: >> >> The following errata report has been verified for RFC4035, >> "Protocol Modifications for the DNS Security Extensions". >> >> -------------------------------------- >> You may review the report below and at: >> https://www.rfc-editor.org/errata/eid5226 <https://www.rfc-editor.org/errata/eid5226> >> >> -------------------------------------- >> Status: Verified >> Type: Technical >> >> Reported by: Peter van Dijk <peter.van.dijk@powerdns.com <mailto:peter.van.dijk@powerdns.com>> >> Date Reported: 2018-01-04 >> Verified by: Eric Vyncke (IESG) >> >> Section: 3.1.4.1 >> >> Original Text >> ------------- >> The need for special processing by a security-aware name server only >> arises when all the following conditions are met: >> >> o The name server has received a query for the DS RRset at a zone >> cut. >> >> o The name server is authoritative for the child zone. >> >> o The name server is not authoritative for the parent zone. >> >> o The name server does not offer recursion. >> >> Corrected Text >> -------------- >> The need for special processing by a security-aware name server only >> arises when all the following conditions are met: >> >> o The name server has received a query for the DS RRset at a zone >> cut. >> >> o The name server is authoritative for the child zone. >> >> o The name server is not authoritative for any zone above the >> child's apex. >> >> o The name server does not offer recursion. >> >> Notes >> ----- >> The original text is ambiguous in the face of an authoritative server having zones C.B.A. and A. but not B.A., and could cause DS queries for C to return a NODATA at C's apex, instead of the desired referral to B. which would allow resolution to continue correctly. >> >> -------------------------------------- >> RFC4035 (draft-ietf-dnsext-dnssec-protocol-09) >> -------------------------------------- >> Title : Protocol Modifications for the DNS Security Extensions >> Publication Date : March 2005 >> Author(s) : R. Arends, R. Austein, M. Larson, D. Massey, S. Rose >> Category : PROPOSED STANDARD >> Source : DNS Extensions >> Area : Internet >> Stream : IETF >> Verifying Party : IESG >> >> _______________________________________________ >> dnsext mailing list >> dnsext@ietf.org <mailto:dnsext@ietf.org> >> https://www.ietf.org/mailman/listinfo/dnsext <https://www.ietf.org/mailman/listinfo/dnsext> ================================== Scott Rose NIST/CTL scott.rose@nist.gov ph: +1-301-975-8439 (w) +1-571-249-3761 (GoogleVoice) ==================================
- [dnsext] Asking for review on this errata by DNSS… Eric Vyncke (evyncke)
- Re: [dnsext] Asking for review on this errata by … Rob Austein
- Re: [dnsext] Asking for review on this errata by … Rose, Scott W. (Fed)
- Re: [dnsext] [EXT] Asking for review on this erra… Peter van Dijk
- Re: [dnsext] [dnsdir] [EXT] Asking for review on … Dave Lawrence