Re: RFC4034 6.2 item 3
Mark Andrews <Mark_Andrews@isc.org> Mon, 12 March 2007 00:39 UTC
Return-path: <owner-namedroppers@ops.ietf.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HQYZH-0007dc-6I; Sun, 11 Mar 2007 20:39:15 -0400
Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HQYZC-0006xO-Nf; Sun, 11 Mar 2007 20:39:15 -0400
Received: from majordom by psg.com with local (Exim 4.63 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1HQYT8-0003nv-Ce for namedroppers-data@psg.com; Mon, 12 Mar 2007 00:32:54 +0000
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.1.7
Received: from [204.152.184.167] (helo=mx.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63 (FreeBSD)) (envelope-from <Mark_Andrews@isc.org>) id 1HQYT6-0003n9-BI for namedroppers@ops.ietf.org; Mon, 12 Mar 2007 00:32:53 +0000
Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "farside.isc.org", Issuer "ISC CA" (verified OK)) by mx.isc.org (Postfix) with ESMTP id D98F411402B for <namedroppers@ops.ietf.org>; Mon, 12 Mar 2007 00:32:49 +0000 (UTC) (envelope-from Mark_Andrews@isc.org)
Received: from drugs.dv.isc.org (localhost.isc.org [IPv6:::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (verified OK)) by farside.isc.org (Postfix) with ESMTP id 4A338E60D9 for <namedroppers@ops.ietf.org>; Mon, 12 Mar 2007 00:32:48 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.13.8/8.13.8) with ESMTP id l2C0WkTk026303 for <namedroppers@ops.ietf.org>; Mon, 12 Mar 2007 11:32:47 +1100 (EST) (envelope-from marka@drugs.dv.isc.org)
Message-Id: <200703120032.l2C0WkTk026303@drugs.dv.isc.org>
To: IETF DNSEXT WG <namedroppers@ops.ietf.org>
From: Mark Andrews <Mark_Andrews@isc.org>
Subject: Re: RFC4034 6.2 item 3
In-reply-to: Your message of "Sat, 10 Mar 2007 10:26:48 BST." <040FB311-41B3-4906-8593-F56E26E8C835@NLnetLabs.nl>
Date: Mon, 12 Mar 2007 11:32:46 +1100
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-id: DNSEXT discussion <namedroppers.ops.ietf.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 6e922792024732fb1bb6f346e63517e4
For the record, I think RFC 4034 is in error here. > Dear Colleagues, > > We recently discovered an interoperability problem that can be argued > to be a protocol bug or an editing error. > > A popular zone signer and its corresponding validator implementation > does not lowercase the next domain name in the RDATA, while > according to RFC4034 section 6.2 item 3 that should be done. The bug > was discovered when NSD was deployed as a one of the servers in an > authoritative server cloud. During the zone transfer NSD 'lowercases > the NSEC RDATA' and starts to hand out different NSEC RDATA then was > used for input. > > One could argue that NSEC is listed in item 3 of section 6.2 in 4034 > in error: The original NSEC specification (RFC3845) does not contain > rules to make NSEC canonical and therefore the default was to use the > RFC3597 (Unknown RRs) behavior. RFC3597 does not list. > > On the other hand one could argue that when the NSEC is a 'carbon > copy' of the NXT RR and therefore RFC3597 behavior should have > applied and not mentioning the requirement to lowercase the dname > before signature creation in RFC3845 was an error. This is factually incorrect. NSEC and NXT have different wire formats. The presentation formats are the same sans typecode. It was this difference that prompted the type code roll. > Besides, the > RFC35977 case preservation is (most) relevant for implementations of > DNSSEC validation code but those are also the ones that must have > detailed knowledge of the NSEC RR so IMHO the deviation of 4034 of > 3597 should in theory not have caused problems. > > One of the argument to lower-case the data before signing is that the > _information_ you want to transport with the NSEC RR is the > _canonical_ ordering in which casing is irrelevant. > > There is one practical example, a bit far fetched, where not > lowercasing the dname before signing can hurt you: > Assume two sites that AXFR data between them (AXFR does not guarantee > casing of onwer names to be preserved). Both dynamically generate > NSECs and sign then dynamically. Now we have the case that for one > zone the RRSIGs for the NSECs data generated by one server (which is > exactly the same as for the other, except for the casing) cannot be > used to validate the NSEC RRset of the other. A bit construed, but > still. Then that is up to the implemantions to sort out. The model for DNSSEC is a *single* master with transfer of the zone to the other authoritative nodes. Epsilon implementations may wish to note this. > I also understand there is an installed-base argument that weighs > heavily for saying that 4034 is in error: At this moment there are > implementations that take a different interpretation. I think it is > fair to say that the signer and validator with the largest deployment > base treat the data as case sensitive. Treats the record as opaque. The same is it treats every other record not mentioned as being special. RFC 4034 for NSEC was a rollup of existing RFC. > Because of the argument that it is the information in the NSEC that > matters, the protocol geek in me has a slight preference for the > interpretation as in 4034, it is cleaner protocol wise. Practically I > want to have this fixed ASAP and the least disruptive way is to scrap > NSEC from the above mentioned item 3 in 6.2 of 4034 and to have NLnet > Labs patch NSD. It is important that the working group chooses a > position fast. > > I leave it to Olafur to judge consensus. > > The result should go into draft-ietf-dnsext-dnssec-updates. If it is decided to make NSEC a special case then text needs to be added to say that the list of records with special processing has been extended. Mark > --Olaf > > > ----------------------------------------------------------- > Olaf M. Kolkman > NLnet Labs > http://www.nlnetlabs.nl/ -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Re: RFC4034 6.2 item 3 Mark Andrews
- Re: RFC4034 6.2 item 3 Roy Arends
- Re: RFC4034 6.2 item 3 Olaf M. Kolkman
- Re: RFC4034 6.2 item 3 Andrew Sullivan
- Re: RFC4034 6.2 item 3 Paul Vixie