[dnsext] Re: [Technical Errata Reported] RFC6672 (8677)
Paul Hoffman <phoffman@proper.com> Fri, 12 December 2025 18:03 UTC
Return-Path: <phoffman@proper.com>
X-Original-To: dnsext@mail2.ietf.org
Delivered-To: dnsext@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id DEE4D99C27BD for <dnsext@mail2.ietf.org>; Fri, 12 Dec 2025 10:03:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AfvlGHQsQ93P for <dnsext@mail2.ietf.org>; Fri, 12 Dec 2025 10:03:57 -0800 (PST)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 4353699C2486 for <dnsext@ietf.org>; Fri, 12 Dec 2025 10:03:40 -0800 (PST)
Received: from [10.106.148.22] (76-209-242-70.lightspeed.mtryca.sbcglobal.net [76.209.242.70]) (authenticated bits=0) by mail.proper.com (8.15.2/8.15.2) with ESMTPSA id 5BCI3XW8047906 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 12 Dec 2025 11:03:34 -0700 (MST) (envelope-from phoffman@proper.com)
X-Authentication-Warning: mail.proper.com: Host 76-209-242-70.lightspeed.mtryca.sbcglobal.net [76.209.242.70] claimed to be [10.106.148.22]
From: Paul Hoffman <phoffman@proper.com>
To: RFC Errata System <rfc-editor@rfc-editor.org>
Date: Fri, 12 Dec 2025 10:03:33 -0800
X-Mailer: MailMate (2.0r6272)
Message-ID: <F2DD3248-E198-4B0E-A75A-84D464A4F45E@proper.com>
In-Reply-To: <20251212155555.DF41CC000CC9@rfcpa.rfc-editor.org>
References: <20251212155555.DF41CC000CC9@rfcpa.rfc-editor.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: XXQAXYMD72G5WXHNBFT27O6QRR6D3V4W
X-Message-ID-Hash: XXQAXYMD72G5WXHNBFT27O6QRR6D3V4W
X-MailFrom: phoffman@proper.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: scott.rose@nist.gov, ek.ietf@gmail.com, evyncke@cisco.com, ogud@ogud.com, dnsext@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [dnsext] Re: [Technical Errata Reported] RFC6672 (8677)
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/9rpzuwiLkAYaUwUtIJzontmQskk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Owner: <mailto:dnsext-owner@ietf.org>
List-Post: <mailto:dnsext@ietf.org>
List-Subscribe: <mailto:dnsext-join@ietf.org>
List-Unsubscribe: <mailto:dnsext-leave@ietf.org>
This is not actually an erratum (given that it is for "missing text"), it is a plea to start an update to RFC 6672, which already has errata. It should be marked as "hold for update" so that it is remembered when someone updates RFC 6672. --Paul Hoffman On 12 Dec 2025, at 7:55, RFC Errata System wrote: > The following errata report has been submitted for RFC6672, > "DNAME Redirection in the DNS". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid8677 > > -------------------------------------- > Type: Technical > Reported by: Petr Špaček <pspacek@isc.org> > > Section: 8 > > Original Text > ------------- > <missing text> > > Corrected Text > -------------- > DNAME redirects can be used to amplify the impact of successfully spoofing a > single DNS response. An attacker can generate an arbitrary query name in the > form of "$random.example." and simultaneously try to spoof a response. The > "$random" label provides the attacker with an unlimited number of spoof > attempts. A successful spoofing can include a DNAME RR with a QNAME's parent > name. Such a spoofed RR can redirect the whole parent zone to a malicious > target, or create a resolution loop. > > Consumers of DNS responses might consider the trustworthiness of DNAME RRs: Are > they DNSSEC-secure? Were they received via a non-spoofable transport (TCP, TLS, > UDP with DNS cookies, etc.)? Depending on security posture, consumers might > choose to not use untrustworthy DNAME RRs, or choose to re-query using a secure > transport like TCP. > > > Notes > ----- > I believe Security Considerations should mention higher risk associated with DNAME spoofing. Hardening described in the proposed text was deployed as (part of) fix for CVE-2025-40778 in BIND 9. > > Instructions: > ------------- > This erratum is currently posted as "Reported". (If it is spam, it > will be removed shortly by the RFC Production Center.) Please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > will log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC6672 (draft-ietf-dnsext-rfc2672bis-dname-26) > -------------------------------------- > Title : DNAME Redirection in the DNS > Publication Date : June 2012 > Author(s) : S. Rose, W. Wijngaards > Category : PROPOSED STANDARD > Source : DNS Extensions > Stream : IETF > Verifying Party : IESG
- [dnsext] [Technical Errata Reported] RFC6672 (867… RFC Errata System
- [dnsext] Re: [Technical Errata Reported] RFC6672 … Paul Hoffman
- [dnsext] Re: [Technical Errata Reported] RFC6672 … Olafur Gudmundsson
- [dnsext] Re: [Technical Errata Reported] RFC6672 … Petr Špaček