Re: [dnsext] [Errata Verified] RFC4035 (5226)
Mark Andrews <marka@isc.org> Sat, 05 August 2023 01:46 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29974C14CE5E; Fri, 4 Aug 2023 18:46:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="UDGAujDc"; dkim=pass (1024-bit key) header.d=isc.org header.b="Yg1Qd4Yn"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M9m5MVC7ccJd; Fri, 4 Aug 2023 18:46:27 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BC1EC14CF13; Fri, 4 Aug 2023 18:46:27 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id A4A0A3AB403; Sat, 5 Aug 2023 01:46:26 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org A4A0A3AB403
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1691199986; cv=none; b=WErENCXX1YuqCpMJTxb+hFXbRSLU/fpSSwgK5qmBsPosdeWsgCPkxoUqqg8VjNqMFhbpesEOO/wjqVkdF8prUnoghiLsy6tHeNfXubp1/FkSx4ClRlmyvsDlurq02PxAUD3RaPe4piHRFkl0CPGeZE6ZY+5EDPO/04X2VOQhbvU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1691199986; c=relaxed/relaxed; bh=08sh+KfBuObYfBtIrPxsjVv5swI1I00eTRUk/yhqu/w=; h=DKIM-Signature:DKIM-Signature:From:Mime-Version:Subject:Date: Message-Id:To; b=NvUlZrsrtkulZkZkh3/9/xO9QZ70JGA4D4+GyQW7+XISqUD1mjQhfcuhxcbQjm7IKkEk+PrH/9UUCBUS8kdAOL1tLvJIm0iCUONhBMWwOdk1ZiftRK/i3J3nE9M2rkL3Ioa9oIJrbYoAssYezmtFI5WbAJTOhjJ5i+JHNp/QsiQ=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org A4A0A3AB403
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1691199986; bh=H2yQwfL3YpLZAZ9sdIgCPF7E2rDVeT/nCKxtPAGiTWA=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=UDGAujDcKdMtw/E1sWgyx7l0atrxrfKwZ/bicEUyG1xkEx4yuNBQf7mtXuzpyxE+3 cHtHjM0hdFmjwMoe0ucWgc0Zc1156PlElw8R9yOyrAwCn1X/laVJgoZ2Bh9dmOYX5R EHYq1UfoRGt9XnhBmSq42uhX6hpW2FsEKcHRhp5A=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 98DE0E29E25; Sat, 5 Aug 2023 01:46:26 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 73AEAE2A498; Sat, 5 Aug 2023 01:46:26 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 73AEAE2A498
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1691199986; bh=08sh+KfBuObYfBtIrPxsjVv5swI1I00eTRUk/yhqu/w=; h=From:Mime-Version:Date:Message-Id:To; b=Yg1Qd4Yn90oUY+N31OFCvf12Nv6RtIDUid0mMRVLOh07KPDCb1fuLLL3sXlyqgG3X PRd8g0OEnanAFpdxmFl7XzwSiAGb97uO3yzza7tqOH3cCX4XpcxDJV3nNT1pd5VY/+ B2oAgT2qnsLPwgE2J9bk5E497JYt7db7VpQPerbo=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 0OL-ulvFJ8R6; Sat, 5 Aug 2023 01:46:26 +0000 (UTC)
Received: from smtpclient.apple (n49-187-27-239.bla1.nsw.optusnet.com.au [49.187.27.239]) by zimbrang.isc.org (Postfix) with ESMTPSA id 0AEC8E29E25; Sat, 5 Aug 2023 01:46:25 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Mark Andrews <marka@isc.org>
Mime-Version: 1.0 (1.0)
Date: Sat, 05 Aug 2023 11:46:19 +1000
Message-Id: <D4722788-B0ED-4D66-A13C-68AA983C1194@isc.org>
References: <20230803115319.0CBCF3E8A6@rfcpa.amsl.com>
Cc: peter.van.dijk@powerdns.com, roy.arends@telin.nl, sra@isc.org, mlarson@verisign.com, massey@cs.colostate.edu, scott.rose@nist.gov, evyncke@cisco.com, iesg@ietf.org, dnsext@ietf.org, iana@iana.org
In-Reply-To: <20230803115319.0CBCF3E8A6@rfcpa.amsl.com>
To: RFC Errata System <rfc-editor@rfc-editor.org>
X-Mailer: iPhone Mail (19H364)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/9Zx4d2U5woqOht52d__5CqpP4Tc>
X-Mailman-Approved-At: Mon, 07 Aug 2023 11:03:16 -0700
Subject: Re: [dnsext] [Errata Verified] RFC4035 (5226)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Aug 2023 01:46:32 -0000
This is incorrect. DNSSEC aware resolvers make NS queries to determine the parent nameservers. Non DNSSEC resolvers accept the response from the child zone. -- Mark Andrews > On 5 Aug 2023, at 01:52, RFC Errata System <rfc-editor@rfc-editor.org> wrote: > > The following errata report has been verified for RFC4035, > "Protocol Modifications for the DNS Security Extensions". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid5226 > > -------------------------------------- > Status: Verified > Type: Technical > > Reported by: Peter van Dijk <peter.van.dijk@powerdns.com> > Date Reported: 2018-01-04 > Verified by: Eric Vyncke (IESG) > > Section: 3.1.4.1 > > Original Text > ------------- > The need for special processing by a security-aware name server only > arises when all the following conditions are met: > > o The name server has received a query for the DS RRset at a zone > cut. > > o The name server is authoritative for the child zone. > > o The name server is not authoritative for the parent zone. > > o The name server does not offer recursion. > > Corrected Text > -------------- > The need for special processing by a security-aware name server only > arises when all the following conditions are met: > > o The name server has received a query for the DS RRset at a zone > cut. > > o The name server is authoritative for the child zone. > > o The name server is not authoritative for any zone above the > child's apex. > > o The name server does not offer recursion. > > Notes > ----- > The original text is ambiguous in the face of an authoritative server having zones C.B.A. and A. but not B.A., and could cause DS queries for C to return a NODATA at C's apex, instead of the desired referral to B. which would allow resolution to continue correctly. > > -------------------------------------- > RFC4035 (draft-ietf-dnsext-dnssec-protocol-09) > -------------------------------------- > Title : Protocol Modifications for the DNS Security Extensions > Publication Date : March 2005 > Author(s) : R. Arends, R. Austein, M. Larson, D. Massey, S. Rose > Category : PROPOSED STANDARD > Source : DNS Extensions > Area : Internet > Stream : IETF > Verifying Party : IESG > > _______________________________________________ > dnsext mailing list > dnsext@ietf.org > https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] [Errata Verified] RFC4035 (5226) RFC Errata System
- Re: [dnsext] [Errata Verified] RFC4035 (5226) Mark Andrews