Re: [dnsext] [Editorial Errata Reported] RFC6672 (5297)

"Rose, Scott" <scott.rose@nist.gov> Fri, 23 March 2018 17:50 UTC

Return-Path: <scott.rose@nist.gov>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9008112DA12 for <dnsext@ietfa.amsl.com>; Fri, 23 Mar 2018 10:50:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Level:
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e6GXIH5damk1 for <dnsext@ietfa.amsl.com>; Fri, 23 Mar 2018 10:49:58 -0700 (PDT)
Received: from wsget2.nist.gov (wsget2.nist.gov [IPv6:2610:20:6005:13::151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BFFD124B17 for <dnsext@ietf.org>; Fri, 23 Mar 2018 10:49:58 -0700 (PDT)
Received: from WSGHUB1.xchange.nist.gov (129.6.42.34) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.3.389.1; Fri, 23 Mar 2018 13:49:45 -0400
Received: from postmark.nist.gov (129.6.16.94) by mail-g.nist.gov (129.6.42.33) with Microsoft SMTP Server id 14.3.389.1; Fri, 23 Mar 2018 13:49:54 -0400
Received: from [129.6.140.7] (7-140.antd.nist.gov [129.6.140.7]) by postmark.nist.gov (8.13.8/8.13.1) with ESMTP id w2NHnVbm032257; Fri, 23 Mar 2018 13:49:32 -0400
From: "Rose, Scott" <scott.rose@nist.gov>
To: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
CC: Warren Kumari <warren@kumari.net>, Suresh Krishnan <suresh@kaloom.com>, Terry Manderson <terry.manderson@icann.org>, Olafur Gudmundsson <ogud@ogud.com>, Andrew Sullivan <ajs@anvilwalrusden.com>, <dnsext@ietf.org>, Pieter Lexis <pieter.lexis@powerdns.com>
Date: Fri, 23 Mar 2018 13:49:31 -0400
X-Mailer: MailMate (1.11r5462)
Message-ID: <382D058C-B2F4-400F-A5E1-7454FD1BC1CF@nist.gov>
In-Reply-To: <7e4b1f83-1da0-96b4-856e-804b8a3cf367@nlnetlabs.nl>
References: <20180323152454.94C77B82ED3@rfc-editor.org> <CAHw9_iJ1nJ2QJPQPtOPOzN7K+8Hx12Y=t0BQwcbp8KwjJc4+bA@mail.gmail.com> <7e4b1f83-1da0-96b4-856e-804b8a3cf367@nlnetlabs.nl>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_MailMate_0FAC90A0-2DFB-4A6B-9D8E-779E8AD7E971_="
X-NIST-MailScanner-Information:
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/HoiBXSnC1CpMOmFb4yN0eAGTpPc>
Subject: Re: [dnsext] [Editorial Errata Reported] RFC6672 (5297)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Mar 2018 17:50:02 -0000

I agree with Wouter.  It is technically correct* this way.  The same 
goes with the other errata (5298).  They both should be approved, IMHO.


Scott
*The Best Kind of Correct


On 23 Mar 2018, at 11:43, W.C.A. Wijngaards wrote:

> Hi,
>
> Seems fine to me too.  Also Pieter's (5298) which is also about 
> missing
> out on the NSEC and RRSIG bits.  They aren't actually the focus, which
> is why no-one missed them I guess (together with all the omitted RRSIG
> fields?), but adding NSEC and RRSIG bits is correct for a signed zone.
>
> Best regards, Wouter
>
> On 23/03/18 16:27, Warren Kumari wrote:
>> [ - RFC Editor for clutter ]
>>
>> This *seems* correct to me, but my brain turned into jelly much
>> earlier in the week -- anyone disagree with the errata?
>>
>> W
>>
>> On Fri, Mar 23, 2018 at 3:24 PM, RFC Errata System
>> <rfc-editor@rfc-editor.org> wrote:
>>> The following errata report has been submitted for RFC6672,
>>> "DNAME Redirection in the DNS".
>>>
>>> --------------------------------------
>>> You may review the report below and at:
>>> http://www.rfc-editor.org/errata/eid5297
>>>
>>> --------------------------------------
>>> Type: Editorial
>>> Reported by: Pieter Lexis <pieter.lexis@powerdns.com>
>>>
>>> Section: 5.3.4.1
>>>
>>> Original Text
>>> -------------
>>>    ;; Header: QR AA RCODE=3(NXDOMAIN)
>>>    ;; OPT PSEUDOSECTION:
>>>    ; EDNS: version: 0, flags: do; udp: 4096
>>>
>>>    ;; Question
>>>    foo.bar.example.com. IN A
>>>    ;; Authority
>>>    bar.example.com. NSEC dub.example.com. A DNAME
>>>    bar.example.com. RRSIG NSEC [valid signature]
>>>
>>> Corrected Text
>>> --------------
>>>    ;; Header: QR AA RCODE=3(NXDOMAIN)
>>>    ;; OPT PSEUDOSECTION:
>>>    ; EDNS: version: 0, flags: do; udp: 4096
>>>
>>>    ;; Question
>>>    foo.bar.example.com. IN A
>>>    ;; Authority
>>>    bar.example.com. NSEC dub.example.com. A DNAME RRSIG NSEC
>>>    bar.example.com. RRSIG NSEC [valid signature]
>>>
>>> Notes
>>> -----
>>> The NSEC record in the original text would in no case be valid as it 
>>> denies it's own existence and the existence of the RRSIG, while the 
>>> text indicates that " the validator can see that it is a  BOGUS 
>>> reply from an attacker that collated existing records from the DNS 
>>> to create a confusing reply". This indicates that NSEC and RRSIG 
>>> should be set in the NSEC bitmap
>>>
>>> Instructions:
>>> -------------
>>> This erratum is currently posted as "Reported". If necessary, please
>>> use "Reply All" to discuss whether it should be verified or
>>> rejected. When a decision is reached, the verifying party
>>> can log in to change the status and edit the report, if necessary.
>>>
>>> --------------------------------------
>>> RFC6672 (draft-ietf-dnsext-rfc2672bis-dname-26)
>>> --------------------------------------
>>> Title               : DNAME Redirection in the DNS
>>> Publication Date    : June 2012
>>> Author(s)           : S. Rose, W. Wijngaards
>>> Category            : PROPOSED STANDARD
>>> Source              : DNS Extensions
>>> Area                : Internet
>>> Stream              : IETF
>>> Verifying Party     : IESG
>>>
>>> _______________________________________________
>>> dnsext mailing list
>>> dnsext@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dnsext
>>
>>
>>


===================================
Scott Rose
NIST ITL
scott.rose@nist.gov
+1-301-975-8439
GV: +1-571-249-3671
===================================