[dnsext] [Technical Errata Reported] RFC5155 (4993)

RFC Errata System <rfc-editor@rfc-editor.org> Thu, 13 April 2017 16:12 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACFAA12922E for <dnsext@ietfa.amsl.com>; Thu, 13 Apr 2017 09:12:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VnCby7uA7Mir for <dnsext@ietfa.amsl.com>; Thu, 13 Apr 2017 09:12:14 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78DCE1294D3 for <dnsext@ietf.org>; Thu, 13 Apr 2017 09:12:14 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id DB84EB80A47; Thu, 13 Apr 2017 09:12:07 -0700 (PDT)
To: ben@links.org, geoff-s@panix.com, roy@nominet.org.uk, davidb@verisign.com, suresh.krishnan@ericsson.com, terry.manderson@icann.org, ogud@ogud.com, ajs@anvilwalrusden.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: rwfranks@acm.org, dnsext@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset=UTF-8
Message-Id: <20170413161207.DB84EB80A47@rfc-editor.org>
Date: Thu, 13 Apr 2017 09:12:07 -0700 (PDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/4ZyVxkinU9fQNLQxWNQzPOSuNy8>
X-Mailman-Approved-At: Tue, 18 Apr 2017 04:12:31 -0700
Subject: [dnsext] [Technical Errata Reported] RFC5155 (4993)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2017 16:12:17 -0000

The following errata report has been submitted for RFC5155,
"DNS Security (DNSSEC) Hashed Authenticated Denial of Existence".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=5155&eid=4993

--------------------------------------
Type: Technical
Reported by: Dick Franks <rwfranks@acm.org>

Section: Appendix A

Original Text
-------------
  ; H(example)       = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom
  ; H(a.example)     = 35mthgpgcu1qg68fab165klnsnk3dpvl
  ; H(ai.example)    = gjeqe526plbf1g8mklp59enfd789njgi
  ; H(ns1.example)   = 2t7b4g4vsa5smi47k61mv5bv1a22bojr
  ; H(ns2.example)   = q04jkcevqvmu85r014c7dkba38o0ji5r
  ; H(w.example)     = k8udemvp1j2f7eg6jebps17vp3n8i58h
  ; H(*.w.example)   = r53bq7cc2uvmubfu5ocmm6pers9tk9en
  ; H(x.w.example)   = b4um86eghhds6nea196smvmlo4ors995
  ; H(y.w.example)   = ji6neoaepv8b5o6k4ev33abha8ht9fgc
  ; H(x.y.w.example) = 2vptu5timamqttgl4luu9kg21e0aor3s
  ; H(xx.example)    = t644ebqk9bibcna874givr6joj62mlhv
- ; H(2t7b4g4vsa5smi47k61mv5bv1a22bojr.example)
- ;                  = kohar7mbb8dc2ce8a9qvl8hon4k53uhi
  example. 3600  IN SOA  ns1.example. bugs.x.w.example. 1 3600 300 (
                         3600000 3600 )
                 NS      ns1.example.
                 NS      ns2.example.
                 MX      1 xx.example.
                 DNSKEY  256 3 7 AwEAAaetidLzsKWUt4swWR8yu0wPHPiUi8LU (
                         sAD0QPWU+wzt89epO6tHzkMBVDkC7qphQO2h
                         TY4hHn9npWFRw5BYubE= )
                 DNSKEY  257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ (
                         j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9
                         AbsUdblMFin8CVF3n4s= )
                 NSEC3PARAM 1 0 12 aabbccdd:1
  0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd (
                         2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS
                         SOA NSEC3PARAM RRSIG )
! 2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. A 192.0.2.127
!                NSEC3   1 1 12 aabbccdd (
                         2vptu5timamqttgl4luu9kg21e0aor3s A RRSIG )
  2vptu5timamqttgl4luu9kg21e0aor3s.example. NSEC3 1 1 12 aabbccdd (
                         35mthgpgcu1qg68fab165klnsnk3dpvl MX RRSIG )
  35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd (
                         b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
  a.example.     NS      ns1.a.example.
                 NS      ns2.a.example.
                 DS      58470 5 1 (
                         3079F1593EBAD6DC121E202A8B766A6A4837206C )
  ns1.a.example. A       192.0.2.5
  ns2.a.example. A       192.0.2.6
  ai.example.    A       192.0.2.9
                 HINFO   "KLH-10" "ITS"
                 AAAA    2001:db8:0:0:0:0:f00:baa9
  b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd (
                         gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG )
  c.example.     NS      ns1.c.example.
                 NS      ns2.c.example.
  ns1.c.example. A       192.0.2.7
  ns2.c.example. A       192.0.2.8
  gjeqe526plbf1g8mklp59enfd789njgi.example. NSEC3 1 1 12 aabbccdd (
                         ji6neoaepv8b5o6k4ev33abha8ht9fgc HINFO A AAAA
                         RRSIG )
  ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd (
                         k8udemvp1j2f7eg6jebps17vp3n8i58h )
  k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd (
!                        kohar7mbb8dc2ce8a9qvl8hon4k53uhi )
! kohar7mbb8dc2ce8a9qvl8hon4k53uhi.example. NSEC3 1 1 12 aabbccdd (
!                        q04jkcevqvmu85r014c7dkba38o0ji5r A RRSIG )
  ns1.example.   A       192.0.2.1
  ns2.example.   A       192.0.2.2
  q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd (
                         r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG )
  r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd (
                         t644ebqk9bibcna874givr6joj62mlhv MX RRSIG )
  t644ebqk9bibcna874givr6joj62mlhv.example. NSEC3 1 1 12 aabbccdd (
                         0p9mhaveqvm6t7vbl5lop2u3t2rp3tom HINFO A AAAA
                         RRSIG )
  *.w.example.   MX      1 ai.example.
  x.w.example.   MX      1 xx.example.
  x.y.w.example. MX      1 xx.example.
  xx.example.    A       192.0.2.10
                 HINFO   "KLH-10" "TOPS-20"
                 AAAA    2001:db8:0:0:0:0:f00:baaa

Corrected Text
--------------
  ; H(example)       = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom
  ; H(a.example)     = 35mthgpgcu1qg68fab165klnsnk3dpvl
  ; H(ai.example)    = gjeqe526plbf1g8mklp59enfd789njgi
  ; H(ns1.example)   = 2t7b4g4vsa5smi47k61mv5bv1a22bojr
  ; H(ns2.example)   = q04jkcevqvmu85r014c7dkba38o0ji5r
  ; H(w.example)     = k8udemvp1j2f7eg6jebps17vp3n8i58h
  ; H(*.w.example)   = r53bq7cc2uvmubfu5ocmm6pers9tk9en
  ; H(x.w.example)   = b4um86eghhds6nea196smvmlo4ors995
  ; H(y.w.example)   = ji6neoaepv8b5o6k4ev33abha8ht9fgc
  ; H(x.y.w.example) = 2vptu5timamqttgl4luu9kg21e0aor3s
  ; H(xx.example)    = t644ebqk9bibcna874givr6joj62mlhv
  example. 3600  IN SOA  ns1.example. bugs.x.w.example. 1 3600 300 (
                         3600000 3600 )
                 NS      ns1.example.
                 NS      ns2.example.
                 MX      1 xx.example.
                 DNSKEY  256 3 7 AwEAAaetidLzsKWUt4swWR8yu0wPHPiUi8LU (
                         sAD0QPWU+wzt89epO6tHzkMBVDkC7qphQO2h
                         TY4hHn9npWFRw5BYubE= )
                 DNSKEY  257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ (
                         j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9
                         AbsUdblMFin8CVF3n4s= )
                 NSEC3PARAM 1 0 12 aabbccdd:1
  0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd (
                         2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS
                         SOA NSEC3PARAM RRSIG )
! 2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. NSEC3   1 1 12 aabbccdd (
                         2vptu5timamqttgl4luu9kg21e0aor3s A RRSIG )
  2vptu5timamqttgl4luu9kg21e0aor3s.example. NSEC3 1 1 12 aabbccdd (
                         35mthgpgcu1qg68fab165klnsnk3dpvl MX RRSIG )
  35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd (
                         b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
  a.example.     NS      ns1.a.example.
                 NS      ns2.a.example.
                 DS      58470 5 1 (
                         3079F1593EBAD6DC121E202A8B766A6A4837206C )
  ns1.a.example. A       192.0.2.5
  ns2.a.example. A       192.0.2.6
  ai.example.    A       192.0.2.9
                 HINFO   "KLH-10" "ITS"
                 AAAA    2001:db8:0:0:0:0:f00:baa9
  b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd (
                         gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG )
  c.example.     NS      ns1.c.example.
                 NS      ns2.c.example.
  ns1.c.example. A       192.0.2.7
  ns2.c.example. A       192.0.2.8
  gjeqe526plbf1g8mklp59enfd789njgi.example. NSEC3 1 1 12 aabbccdd (
                         ji6neoaepv8b5o6k4ev33abha8ht9fgc HINFO A AAAA
                         RRSIG )
  ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd (
                         k8udemvp1j2f7eg6jebps17vp3n8i58h )
  k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd (
!                        q04jkcevqvmu85r014c7dkba38o0ji5r )
  ns1.example.   A       192.0.2.1
  ns2.example.   A       192.0.2.2
  q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd (
                         r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG )
  r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd (
                         t644ebqk9bibcna874givr6joj62mlhv MX RRSIG )
  t644ebqk9bibcna874givr6joj62mlhv.example. NSEC3 1 1 12 aabbccdd (
                         0p9mhaveqvm6t7vbl5lop2u3t2rp3tom HINFO A AAAA
                         RRSIG )
  *.w.example.   MX      1 ai.example.
  x.w.example.   MX      1 xx.example.
  x.y.w.example. MX      1 xx.example.
  xx.example.    A       192.0.2.10
                 HINFO   "KLH-10" "TOPS-20"
                 AAAA    2001:db8:0:0:0:0:f00:baaa

Notes
-----
The obligatory RRSIG records have been omitted for clarity.

The zone prior to NSEC3 signing seems to have contained an unexpected
    2t7b4g4vsa5smi47k61mv5bv1a22bojr.example.	A	192.0.2.127
which was then lovingly included in the NSEC3 chain.

The error is readily detectable from the list of hashes of the original owner names. The source zone prior to signing can never contain a hashed name.

For completeness, B5 also needs a corresponding amendment, although this does not invalidate the proof presented therein.

Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--------------------------------------
RFC5155 (draft-ietf-dnsext-nsec3-13)
--------------------------------------
Title               : DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
Publication Date    : March 2008
Author(s)           : B. Laurie, G. Sisson, R. Arends, D. Blacka
Category            : PROPOSED STANDARD
Source              : DNS Extensions
Area                : Internet
Stream              : IETF
Verifying Party     : IESG