IETF Logo Mail Archive

Re: RFC4034 6.2 item 3

Olafur Gudmundsson <ogud@ogud.com> Tue, 13 March 2007 19:43 UTC

Return-path: <owner-namedroppers@ops.ietf.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HRCuD-0007Qn-No; Tue, 13 Mar 2007 15:43:33 -0400
Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HRCuB-0003fY-7K; Tue, 13 Mar 2007 15:43:33 -0400
Received: from majordom by psg.com with local (Exim 4.63 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1HRCmk-000I2P-UM for namedroppers-data@psg.com; Tue, 13 Mar 2007 19:35:50 +0000
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.1.7
Received: from [66.92.146.160] (helo=ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63 (FreeBSD)) (envelope-from <ogud@ogud.com>) id 1HRCmh-000I2E-Od for namedroppers@ops.ietf.org; Tue, 13 Mar 2007 19:35:49 +0000
Received: from Puki.ogud.com (hlid.ogud.com [66.92.146.160]) by ogud.com (8.13.1/8.13.1) with ESMTP id l2DJZYs3022353 for <namedroppers@ops.ietf.org>; Tue, 13 Mar 2007 14:35:35 -0500 (EST) (envelope-from ogud@ogud.com)
Message-Id: <200703131935.l2DJZYs3022353@ogud.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Tue, 13 Mar 2007 15:35:12 -0400
To: IETF DNSEXT WG <namedroppers@ops.ietf.org>
From: Olafur Gudmundsson <ogud@ogud.com>
Subject: Re: RFC4034 6.2 item 3
In-Reply-To: <040FB311-41B3-4906-8593-F56E26E8C835@NLnetLabs.nl>
References: <040FB311-41B3-4906-8593-F56E26E8C835@NLnetLabs.nl>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-id: DNSEXT discussion <namedroppers.ops.ietf.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a2c12dacc0736f14d6b540e805505a86

This discussion seems to be coming to a conclusion, but to make sure
everyone is in agreement I want to ask people to answer few simple
questions about the general case. The IPSECKEY RR is defined in RFC4025
it is published after RFC3597 which sets the rules for handling of
future RR's.

In the answers below say what you think is the Right thing to do not
what your favorite implementation does.

1. The gateway field in IPSECKEY is a domain name
         1.a: Can it be compressed ?
         1.b: Can its case be changed as the Record passes through the DNS ?
         1.c: Should the DNSSEC domain name canonical rules be applied
              to the name before it is signed/verified ?
         1.d: Please explain your reasoning

2. Explain why different rules should apply to NSEC [RFC3845]
    and/or NSEC3 [RFC-to-be]?

3. what RFC's needs to be clarified?

         Olafur (acting as King Solomon)


At 05:26 10/03/2007, Olaf M. Kolkman wrote:


>Dear Colleagues,
>
>We recently discovered an interoperability problem that can be argued
>to be a protocol bug or an editing error.
>
>A popular zone signer and its corresponding validator implementation
>does not lowercase the next domain name in the RDATA, while
>according to RFC4034 section 6.2 item 3 that should be done. The bug
>was discovered when NSD was deployed as a one of the servers in an
>authoritative server cloud. During the zone transfer NSD 'lowercases
>the NSEC RDATA' and starts to hand out different NSEC RDATA then was
>used for input.
>
>One could argue that NSEC is listed in item 3 of section 6.2 in 4034
>in error: The original NSEC specification (RFC3845) does not contain
>rules to make NSEC canonical and therefore the default was to use the
>RFC3597 (Unknown RRs) behavior. RFC3597 does not list.
>
>On the other hand one could argue that when the NSEC is a 'carbon
>copy' of the NXT RR and therefore RFC3597 behavior should have
>applied and not mentioning the requirement to lowercase the dname
>before signature creation in RFC3845 was an error. Besides, the
>RFC35977 case preservation is (most) relevant for implementations of
>DNSSEC validation code but those are also the ones that must have
>detailed knowledge of the NSEC RR so IMHO the deviation of 4034 of
>3597 should in theory not have caused problems.
>
>One of the argument to lower-case the data before signing is that the
>_information_ you want to transport with the NSEC RR is the
>_canonical_ ordering in which casing is irrelevant.
>
>There is one practical example, a bit far fetched, where not
>lowercasing the dname before signing can hurt you:
>Assume two sites that AXFR data between them (AXFR does not guarantee
>casing of onwer names to be preserved). Both dynamically generate
>NSECs and sign then dynamically. Now we have the case that for one
>zone the RRSIGs for the NSECs data generated by one server (which is
>exactly the same as for the other, except for the casing) cannot be
>used to validate the NSEC RRset of the other.  A bit construed, but
>still.
>
>I also understand there is an installed-base argument that weighs
>heavily for saying that 4034 is in error:  At this moment there are
>implementations that take a different interpretation. I think it is
>fair to say that the signer and validator with the largest deployment
>base treat the data as case sensitive.
>
>Because of the argument that it is the information in the NSEC that
>matters, the protocol geek in me has a slight preference for the
>interpretation as in 4034, it is cleaner protocol wise. Practically I
>want to have this fixed ASAP and the least disruptive way is to scrap
>NSEC from the above mentioned item 3 in 6.2 of 4034 and to have NLnet
>Labs patch NSD. It is important that the working group chooses a
>position fast.
>
>I leave it to Olafur to judge consensus.
>
>The result should go into draft-ietf-dnsext-dnssec-updates.
>
>--Olaf


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email