[dnsext] [Technical Errata Reported] RFC5155 (3441)
RFC Errata System <rfc-editor@rfc-editor.org> Mon, 31 December 2012 16:01 UTC
Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D54B21F858A for <dnsext@ietfa.amsl.com>; Mon, 31 Dec 2012 08:01:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.181
X-Spam-Level:
X-Spam-Status: No, score=-102.181 tagged_above=-999 required=5 tests=[AWL=0.419, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gSw0howyLxZc for <dnsext@ietfa.amsl.com>; Mon, 31 Dec 2012 08:01:00 -0800 (PST)
Received: from rfc-editor.org (rfc-editor.org [IPv6:2001:1890:123a::1:2f]) by ietfa.amsl.com (Postfix) with ESMTP id EC27B21F8584 for <dnsext@ietf.org>; Mon, 31 Dec 2012 08:00:59 -0800 (PST)
Received: by rfc-editor.org (Postfix, from userid 30) id 0EA85B1E002; Mon, 31 Dec 2012 07:51:10 -0800 (PST)
To: ben@links.org, geoff-s@panix.com, roy@nominet.org.uk, davidb@verisign.com, rdroms.ietf@gmail.com, brian@innovationslab.net, ogud@ogud.com, ajs@anvilwalrusden.com
From: RFC Errata System <rfc-editor@rfc-editor.org>
Message-Id: <20121231155110.0EA85B1E002@rfc-editor.org>
Date: Mon, 31 Dec 2012 07:51:10 -0800
X-Mailman-Approved-At: Tue, 01 Jan 2013 15:16:36 -0800
Cc: ed.lewis@neustar.biz, dnsext@ietf.org, rfc-editor@rfc-editor.org
Subject: [dnsext] [Technical Errata Reported] RFC5155 (3441)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Dec 2012 16:01:01 -0000
The following errata report has been submitted for RFC5155, "DNS Security (DNSSEC) Hashed Authenticated Denial of Existence". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=5155&eid=3441 -------------------------------------- Type: Technical Reported by: Edward Lewis <ed.lewis@neustar.biz> Section: 7.2.3 & 8.5 Original Text ------------- 7.2.3 (contents) 8.5 (contents) Corrected Text -------------- 7.2.3. No Data Responses, QTYPE is not DS If the No Data Response is a result of an empty non-terminal derived from an insecure delegation covered by an Opt-Out NSEC3 RR, the closest provable encloser proof MUST be included in the response. The included NSEC3 RR that covers the "next closer" name for the delegation MUST have the Opt-Out flag set to one. In all other cases, the server MUST include the NSEC3 RR that matches QNAME. This NSEC3 RR MUST NOT have the bits corresponding to either the QTYPE or CNAME set in its Type Bit Maps field. =============================================== 8.5. Validating No Data Responses, QTYPE is not DS If there is an NSEC3 RR that matches QNAME present, the validator must check that both the QTYPE and the CNAME type are not set in its Type Bit Maps field. Note that this test also covers the case where the NSEC3 RR exists because it corresponds to an empty non-terminal, in which case the NSEC3 RR will have an empty Type Bit Maps field. If there is no NSEC3 RR present that matches QNAME, then the validator MUST verify a closest provable encloser proof for the QNAME. The validator MUST verify that the Opt-Out bit is set in the NSEC3 RR that covers the "next closer" name to the delegation name. This test covers the case where the response is due to an Empty Non-Terminal derived from an insecure delegation covered by an Opt-Out NSEC3 RR. Notes ----- The corrections were derived from a private email from an editor of RFC 5155. Note that the ordering of the paragraphs in the proposed 8.5 fix has been changed. No other change is intentional. >From Roy Arends: We missed documenting the case of what a server and a validator should do in case of an opted-out, multi-label delegation. We did make it clear in signing (7.1). This is also not part of the demo zone, included in RFC5155. As suggested text for an errata, may I offer: 7.2.3. No Data Responses, QTYPE is not DS If the No Data Response is a result of an empty non-terminal derived from an insecure delegation covered by an Opt-Out NSEC3 RR, the closest provable encloser proof MUST be included in the response. The included NSEC3 RR that covers the "next closer" name for the delegation MUST have the Opt-Out flag set to one. In all other cases, the server MUST include the NSEC3 RR that matches QNAME. This NSEC3 RR MUST NOT have the bits corresponding to either the QTYPE or CNAME set in its Type Bit Maps field. 8.5. Validating No Data Responses, QTYPE is not DS If there is no NSEC3 RR present that matches QNAME, then the validator MUST verify a closest provable encloser proof for the QNAME. The validator MUST verify that the Opt-Out bit is set in the NSEC3 RR that covers the "next closer" name to the delegation name. This test covers the case where the response is due to an Empty Non-Terminal derived from an insecure delegation covered by an Opt-Out NSEC3 RR. If there is an NSEC3 RR that matches QNAME present, the validator must check that both the QTYPE and the CNAME type are not set in its Type Bit Maps field. Note that this test also covers the case where the NSEC3 RR exists because it corresponds to an empty non-terminal, in which case the NSEC3 RR will have an empty Type Bit Maps field. The following message is the singularly most important one in the errata submission, from David Blacka, commenting on the order of the paragraphs: http://www.ietf.org/mail-archive/web/dnsext/current/msg12835.html The heads of the threads to review: http://www.ietf.org/mail-archive/web/dnsext/current/msg12819.html http://www.ietf.org/mail-archive/web/dnsext/current/msg12821.html http://www.ietf.org/mail-archive/web/dnsext/current/msg12830.html http://www.ietf.org/mail-archive/web/dnsext/current/msg12832.html http://www.ietf.org/mail-archive/web/dnsext/current/msg12839.html http://www.ietf.org/mail-archive/web/dnsext/current/msg12854.html and http://www.ietf.org/mail-archive/web/dnsext/current/msg12864.html Instructions: ------------- This errata is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party (IESG) can log in to change the status and edit the report, if necessary. -------------------------------------- RFC5155 (draft-ietf-dnsext-nsec3-13) -------------------------------------- Title : DNS Security (DNSSEC) Hashed Authenticated Denial of Existence Publication Date : March 2008 Author(s) : B. Laurie, G. Sisson, R. Arends, D. Blacka Category : PROPOSED STANDARD Source : DNS Extensions Area : Internet Stream : IETF Verifying Party : IESG
- [dnsext] [Technical Errata Reported] RFC5155 (344… RFC Errata System