[dnsext] [Technical Errata Reported] RFC5155 (4993)
RFC Errata System <rfc-editor@rfc-editor.org> Thu, 13 April 2017 16:12 UTC
Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACFAA12922E for <dnsext@ietfa.amsl.com>; Thu, 13 Apr 2017 09:12:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VnCby7uA7Mir for <dnsext@ietfa.amsl.com>; Thu, 13 Apr 2017 09:12:14 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78DCE1294D3 for <dnsext@ietf.org>; Thu, 13 Apr 2017 09:12:14 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id DB84EB80A47; Thu, 13 Apr 2017 09:12:07 -0700 (PDT)
To: ben@links.org, geoff-s@panix.com, roy@nominet.org.uk, davidb@verisign.com, suresh.krishnan@ericsson.com, terry.manderson@icann.org, ogud@ogud.com, ajs@anvilwalrusden.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: rwfranks@acm.org, dnsext@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20170413161207.DB84EB80A47@rfc-editor.org>
Date: Thu, 13 Apr 2017 09:12:07 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/4ZyVxkinU9fQNLQxWNQzPOSuNy8>
X-Mailman-Approved-At: Tue, 18 Apr 2017 04:12:31 -0700
Subject: [dnsext] [Technical Errata Reported] RFC5155 (4993)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2017 16:12:17 -0000
The following errata report has been submitted for RFC5155, "DNS Security (DNSSEC) Hashed Authenticated Denial of Existence". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=5155&eid=4993 -------------------------------------- Type: Technical Reported by: Dick Franks <rwfranks@acm.org> Section: Appendix A Original Text ------------- ; H(example) = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom ; H(a.example) = 35mthgpgcu1qg68fab165klnsnk3dpvl ; H(ai.example) = gjeqe526plbf1g8mklp59enfd789njgi ; H(ns1.example) = 2t7b4g4vsa5smi47k61mv5bv1a22bojr ; H(ns2.example) = q04jkcevqvmu85r014c7dkba38o0ji5r ; H(w.example) = k8udemvp1j2f7eg6jebps17vp3n8i58h ; H(*.w.example) = r53bq7cc2uvmubfu5ocmm6pers9tk9en ; H(x.w.example) = b4um86eghhds6nea196smvmlo4ors995 ; H(y.w.example) = ji6neoaepv8b5o6k4ev33abha8ht9fgc ; H(x.y.w.example) = 2vptu5timamqttgl4luu9kg21e0aor3s ; H(xx.example) = t644ebqk9bibcna874givr6joj62mlhv - ; H(2t7b4g4vsa5smi47k61mv5bv1a22bojr.example) - ; = kohar7mbb8dc2ce8a9qvl8hon4k53uhi example. 3600 IN SOA ns1.example. bugs.x.w.example. 1 3600 300 ( 3600000 3600 ) NS ns1.example. NS ns2.example. MX 1 xx.example. DNSKEY 256 3 7 AwEAAaetidLzsKWUt4swWR8yu0wPHPiUi8LU ( sAD0QPWU+wzt89epO6tHzkMBVDkC7qphQO2h TY4hHn9npWFRw5BYubE= ) DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= ) NSEC3PARAM 1 0 12 aabbccdd:1 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG ) ! 2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. A 192.0.2.127 ! NSEC3 1 1 12 aabbccdd ( 2vptu5timamqttgl4luu9kg21e0aor3s A RRSIG ) 2vptu5timamqttgl4luu9kg21e0aor3s.example. NSEC3 1 1 12 aabbccdd ( 35mthgpgcu1qg68fab165klnsnk3dpvl MX RRSIG ) 35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd ( b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG ) a.example. NS ns1.a.example. NS ns2.a.example. DS 58470 5 1 ( 3079F1593EBAD6DC121E202A8B766A6A4837206C ) ns1.a.example. A 192.0.2.5 ns2.a.example. A 192.0.2.6 ai.example. A 192.0.2.9 HINFO "KLH-10" "ITS" AAAA 2001:db8:0:0:0:0:f00:baa9 b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd ( gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG ) c.example. NS ns1.c.example. NS ns2.c.example. ns1.c.example. A 192.0.2.7 ns2.c.example. A 192.0.2.8 gjeqe526plbf1g8mklp59enfd789njgi.example. NSEC3 1 1 12 aabbccdd ( ji6neoaepv8b5o6k4ev33abha8ht9fgc HINFO A AAAA RRSIG ) ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd ( k8udemvp1j2f7eg6jebps17vp3n8i58h ) k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd ( ! kohar7mbb8dc2ce8a9qvl8hon4k53uhi ) ! kohar7mbb8dc2ce8a9qvl8hon4k53uhi.example. NSEC3 1 1 12 aabbccdd ( ! q04jkcevqvmu85r014c7dkba38o0ji5r A RRSIG ) ns1.example. A 192.0.2.1 ns2.example. A 192.0.2.2 q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd ( r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG ) r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd ( t644ebqk9bibcna874givr6joj62mlhv MX RRSIG ) t644ebqk9bibcna874givr6joj62mlhv.example. NSEC3 1 1 12 aabbccdd ( 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom HINFO A AAAA RRSIG ) *.w.example. MX 1 ai.example. x.w.example. MX 1 xx.example. x.y.w.example. MX 1 xx.example. xx.example. A 192.0.2.10 HINFO "KLH-10" "TOPS-20" AAAA 2001:db8:0:0:0:0:f00:baaa Corrected Text -------------- ; H(example) = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom ; H(a.example) = 35mthgpgcu1qg68fab165klnsnk3dpvl ; H(ai.example) = gjeqe526plbf1g8mklp59enfd789njgi ; H(ns1.example) = 2t7b4g4vsa5smi47k61mv5bv1a22bojr ; H(ns2.example) = q04jkcevqvmu85r014c7dkba38o0ji5r ; H(w.example) = k8udemvp1j2f7eg6jebps17vp3n8i58h ; H(*.w.example) = r53bq7cc2uvmubfu5ocmm6pers9tk9en ; H(x.w.example) = b4um86eghhds6nea196smvmlo4ors995 ; H(y.w.example) = ji6neoaepv8b5o6k4ev33abha8ht9fgc ; H(x.y.w.example) = 2vptu5timamqttgl4luu9kg21e0aor3s ; H(xx.example) = t644ebqk9bibcna874givr6joj62mlhv example. 3600 IN SOA ns1.example. bugs.x.w.example. 1 3600 300 ( 3600000 3600 ) NS ns1.example. NS ns2.example. MX 1 xx.example. DNSKEY 256 3 7 AwEAAaetidLzsKWUt4swWR8yu0wPHPiUi8LU ( sAD0QPWU+wzt89epO6tHzkMBVDkC7qphQO2h TY4hHn9npWFRw5BYubE= ) DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= ) NSEC3PARAM 1 0 12 aabbccdd:1 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG ) ! 2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. NSEC3 1 1 12 aabbccdd ( 2vptu5timamqttgl4luu9kg21e0aor3s A RRSIG ) 2vptu5timamqttgl4luu9kg21e0aor3s.example. NSEC3 1 1 12 aabbccdd ( 35mthgpgcu1qg68fab165klnsnk3dpvl MX RRSIG ) 35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd ( b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG ) a.example. NS ns1.a.example. NS ns2.a.example. DS 58470 5 1 ( 3079F1593EBAD6DC121E202A8B766A6A4837206C ) ns1.a.example. A 192.0.2.5 ns2.a.example. A 192.0.2.6 ai.example. A 192.0.2.9 HINFO "KLH-10" "ITS" AAAA 2001:db8:0:0:0:0:f00:baa9 b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd ( gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG ) c.example. NS ns1.c.example. NS ns2.c.example. ns1.c.example. A 192.0.2.7 ns2.c.example. A 192.0.2.8 gjeqe526plbf1g8mklp59enfd789njgi.example. NSEC3 1 1 12 aabbccdd ( ji6neoaepv8b5o6k4ev33abha8ht9fgc HINFO A AAAA RRSIG ) ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd ( k8udemvp1j2f7eg6jebps17vp3n8i58h ) k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd ( ! q04jkcevqvmu85r014c7dkba38o0ji5r ) ns1.example. A 192.0.2.1 ns2.example. A 192.0.2.2 q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd ( r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG ) r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd ( t644ebqk9bibcna874givr6joj62mlhv MX RRSIG ) t644ebqk9bibcna874givr6joj62mlhv.example. NSEC3 1 1 12 aabbccdd ( 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom HINFO A AAAA RRSIG ) *.w.example. MX 1 ai.example. x.w.example. MX 1 xx.example. x.y.w.example. MX 1 xx.example. xx.example. A 192.0.2.10 HINFO "KLH-10" "TOPS-20" AAAA 2001:db8:0:0:0:0:f00:baaa Notes ----- The obligatory RRSIG records have been omitted for clarity. The zone prior to NSEC3 signing seems to have contained an unexpected 2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. A 192.0.2.127 which was then lovingly included in the NSEC3 chain. The error is readily detectable from the list of hashes of the original owner names. The source zone prior to signing can never contain a hashed name. For completeness, B5 also needs a corresponding amendment, although this does not invalidate the proof presented therein. Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC5155 (draft-ietf-dnsext-nsec3-13) -------------------------------------- Title : DNS Security (DNSSEC) Hashed Authenticated Denial of Existence Publication Date : March 2008 Author(s) : B. Laurie, G. Sisson, R. Arends, D. Blacka Category : PROPOSED STANDARD Source : DNS Extensions Area : Internet Stream : IETF Verifying Party : IESG
- [dnsext] [Technical Errata Reported] RFC5155 (499… RFC Errata System
- Re: [dnsext] [Technical Errata Reported] RFC5155 … Alex Bligh
- Re: [dnsext] [Ext] [Technical Errata Reported] RF… Roy Arends