Re: [dnsext] [Editorial Errata Reported] RFC6672 (5297)

"W.C.A. Wijngaards" <wouter@nlnetlabs.nl> Fri, 23 March 2018 15:43 UTC

Return-Path: <wouter@nlnetlabs.nl>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C4FC12D87E for <dnsext@ietfa.amsl.com>; Fri, 23 Mar 2018 08:43:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.01
X-Spam-Level:
X-Spam-Status: No, score=-7.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl header.b=bSfrcPSQ; dkim=pass (1024-bit key) header.d=nlnetlabs.nl header.b=LjSDQVe9
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8sYChx6HSKAr for <dnsext@ietfa.amsl.com>; Fri, 23 Mar 2018 08:43:45 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (open.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 340F6120227 for <dnsext@ietf.org>; Fri, 23 Mar 2018 08:43:45 -0700 (PDT)
Received: by dicht.nlnetlabs.nl (Postfix, from userid 58) id 2C4258ACA; Fri, 23 Mar 2018 16:43:43 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1521819823; bh=r/U7KZKHkvWhyZnAf3G+8sy8R8s738IBZnOfw3/p8to=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=bSfrcPSQ8aYms/q3Hl4mVSsLebWT0FvZvJY3WrqwfKvwWgAb5zsEoabETu3/hNdNK DUqrmJsrg3a8uQB/wcMSKaBb/3Ht2fJqAkSOevLcUVMs+4QFRdpLv8V4eUvVf6olai rB03xF+tzZ8OkvFU1xQmeSU1h1fy8cz1jQkcsFMg=
Received: from vylkir.localdomain (ip565b0030.direct-adsl.nl [86.91.0.48]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id A52B78ABA; Fri, 23 Mar 2018 16:43:41 +0100 (CET)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1521819822; bh=r/U7KZKHkvWhyZnAf3G+8sy8R8s738IBZnOfw3/p8to=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=LjSDQVe9SqiJJe1Y1KeRKp/XTOaPQVPcZ1H/rJH7sXqAjz0zQq6gxUq0qOD1f7/2Q LdOuTrgsyiHr4Ml++yPVvlYgmV2n4EtlchN2gQkq1rRyZMqBgkwhnS4523Q02xenGo +vGoqNbZJDTxKzYNm45ITHcLugGPpFC9W5I+7ZUI=
To: Warren Kumari <warren@kumari.net>
Cc: "Rose, Scott" <scott.rose@nist.gov>, Suresh Krishnan <suresh@kaloom.com>, Terry Manderson <terry.manderson@icann.org>, Olafur Gudmundsson <ogud@ogud.com>, Andrew Sullivan <ajs@anvilwalrusden.com>, dnsext@ietf.org, Pieter Lexis <pieter.lexis@powerdns.com>
References: <20180323152454.94C77B82ED3@rfc-editor.org> <CAHw9_iJ1nJ2QJPQPtOPOzN7K+8Hx12Y=t0BQwcbp8KwjJc4+bA@mail.gmail.com>
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Message-ID: <7e4b1f83-1da0-96b4-856e-804b8a3cf367@nlnetlabs.nl>
Date: Fri, 23 Mar 2018 16:43:35 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <CAHw9_iJ1nJ2QJPQPtOPOzN7K+8Hx12Y=t0BQwcbp8KwjJc4+bA@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="MKkIdRvDlItXlbOj5IZYATwWROvSP2bLw"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/68GOYYcCjyvIsiNlF6ux0vWwx_8>
Subject: Re: [dnsext] [Editorial Errata Reported] RFC6672 (5297)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Mar 2018 15:43:48 -0000

Hi,

Seems fine to me too.  Also Pieter's (5298) which is also about missing
out on the NSEC and RRSIG bits.  They aren't actually the focus, which
is why no-one missed them I guess (together with all the omitted RRSIG
fields?), but adding NSEC and RRSIG bits is correct for a signed zone.

Best regards, Wouter

On 23/03/18 16:27, Warren Kumari wrote:
> [ - RFC Editor for clutter ]
> 
> This *seems* correct to me, but my brain turned into jelly much
> earlier in the week -- anyone disagree with the errata?
> 
> W
> 
> On Fri, Mar 23, 2018 at 3:24 PM, RFC Errata System
> <rfc-editor@rfc-editor.org> wrote:
>> The following errata report has been submitted for RFC6672,
>> "DNAME Redirection in the DNS".
>>
>> --------------------------------------
>> You may review the report below and at:
>> http://www.rfc-editor.org/errata/eid5297
>>
>> --------------------------------------
>> Type: Editorial
>> Reported by: Pieter Lexis <pieter.lexis@powerdns.com>
>>
>> Section: 5.3.4.1
>>
>> Original Text
>> -------------
>>    ;; Header: QR AA RCODE=3(NXDOMAIN)
>>    ;; OPT PSEUDOSECTION:
>>    ; EDNS: version: 0, flags: do; udp: 4096
>>
>>    ;; Question
>>    foo.bar.example.com. IN A
>>    ;; Authority
>>    bar.example.com. NSEC dub.example.com. A DNAME
>>    bar.example.com. RRSIG NSEC [valid signature]
>>
>> Corrected Text
>> --------------
>>    ;; Header: QR AA RCODE=3(NXDOMAIN)
>>    ;; OPT PSEUDOSECTION:
>>    ; EDNS: version: 0, flags: do; udp: 4096
>>
>>    ;; Question
>>    foo.bar.example.com. IN A
>>    ;; Authority
>>    bar.example.com. NSEC dub.example.com. A DNAME RRSIG NSEC
>>    bar.example.com. RRSIG NSEC [valid signature]
>>
>> Notes
>> -----
>> The NSEC record in the original text would in no case be valid as it denies it's own existence and the existence of the RRSIG, while the text indicates that " the validator can see that it is a  BOGUS reply from an attacker that collated existing records from the DNS to create a confusing reply". This indicates that NSEC and RRSIG should be set in the NSEC bitmap
>>
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". If necessary, please
>> use "Reply All" to discuss whether it should be verified or
>> rejected. When a decision is reached, the verifying party
>> can log in to change the status and edit the report, if necessary.
>>
>> --------------------------------------
>> RFC6672 (draft-ietf-dnsext-rfc2672bis-dname-26)
>> --------------------------------------
>> Title               : DNAME Redirection in the DNS
>> Publication Date    : June 2012
>> Author(s)           : S. Rose, W. Wijngaards
>> Category            : PROPOSED STANDARD
>> Source              : DNS Extensions
>> Area                : Internet
>> Stream              : IETF
>> Verifying Party     : IESG
>>
>> _______________________________________________
>> dnsext mailing list
>> dnsext@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsext
> 
> 
>