IETF Logo Mail Archive

[dnsext] Re: [Technical Errata Reported] RFC6672 (8677)

Olafur Gudmundsson <ogud@ogud.com> Sat, 13 December 2025 04:03 UTC

Return-Path: <ogud@ogud.com>
X-Original-To: dnsext@mail2.ietf.org
Delivered-To: dnsext@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 9DE6399F3EE6 for <dnsext@mail2.ietf.org>; Fri, 12 Dec 2025 20:03:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=g001.emailsrvr.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xnzXVLlgPhwG for <dnsext@mail2.ietf.org>; Fri, 12 Dec 2025 20:03:13 -0800 (PST)
Received: from smtp70.iad3a.emailsrvr.com (smtp70.iad3a.emailsrvr.com [173.203.187.70]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 2755E99F3EDE for <dnsext@ietf.org>; Fri, 12 Dec 2025 20:03:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=g001.emailsrvr.com; s=feedback; t=1765598586; bh=maBKukPtrpWr7Ejvsy+ae6laGG5DuCTR3+Fn6D8LW/Y=; h=Subject:From:Date:To:From; b=F4FLOKoPLZYWXS1l1UVql4uKIVntYhYZ5n7c/t+HoDj9sONNB4znMCSc1du/+3jjj nl43bUibugy5v0PFIMxJ1DR+2ZeLB+OWlym0QRT5ps45khK1eJncD2q7ixWARaJooQ 0aa031WipijB9e57JzDdkIuxX46EEMv6kCueNPuA=
X-Auth-ID: ogud@ogud.com
Received: by smtp25.relay.iad3a.emailsrvr.com (Authenticated sender: ogud-AT-ogud.com) with ESMTPSA id 80FD123990; Fri, 12 Dec 2025 23:03:06 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.200.81.1.6\))
From: Olafur Gudmundsson <ogud@ogud.com>
In-Reply-To: <F2DD3248-E198-4B0E-A75A-84D464A4F45E@proper.com>
Date: Fri, 12 Dec 2025 23:02:56 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <74055991-5D57-4F3F-BF64-7AD22AC569B4@ogud.com>
References: <20251212155555.DF41CC000CC9@rfcpa.rfc-editor.org> <F2DD3248-E198-4B0E-A75A-84D464A4F45E@proper.com>
To: Paul Hoffman <phoffman@proper.com>
X-Mailer: Apple Mail (2.3864.200.81.1.6)
X-Classification-ID: 96b0fdac-38f7-446e-9c58-4bbe04b9c38b-1-1
Message-ID-Hash: TXGQKVZRVP6ZCGFJMNOSV7644BT6R3IB
X-Message-ID-Hash: TXGQKVZRVP6ZCGFJMNOSV7644BT6R3IB
X-MailFrom: ogud@ogud.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: RFC Errata System <rfc-editor@rfc-editor.org>, Scott Rose <scott.rose@nist.gov>, ek.ietf@gmail.com, Eric Vyncke <evyncke@cisco.com>, dnsext@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [dnsext] Re: [Technical Errata Reported] RFC6672 (8677)
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/K23o2dZeDUcdhA40y5CJDOYRNAw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Owner: <mailto:dnsext-owner@ietf.org>
List-Post: <mailto:dnsext@ietf.org>
List-Subscribe: <mailto:dnsext-join@ietf.org>
List-Unsubscribe: <mailto:dnsext-leave@ietf.org>

I agree with Paul this is not an error but a warning about abuse, we can not update RFC every time someone thinks of a possible “misuse” 
Olafur


> On Dec 12, 2025, at 13:03, Paul Hoffman <phoffman@proper.com> wrote:
> 
> This is not actually an erratum (given that it is for "missing text"), it is a plea to start an update to RFC 6672, which already has errata. It should be marked as "hold for update" so that it is remembered when someone updates RFC 6672.
> 
> --Paul Hoffman
> 
> On 12 Dec 2025, at 7:55, RFC Errata System wrote:
> 
>> The following errata report has been submitted for RFC6672,
>> "DNAME Redirection in the DNS".
>> 
>> --------------------------------------
>> You may review the report below and at:
>> https://www.rfc-editor.org/errata/eid8677
>> 
>> --------------------------------------
>> Type: Technical
>> Reported by: Petr Špaček <pspacek@isc.org>
>> 
>> Section: 8
>> 
>> Original Text
>> -------------
>> <missing text>
>> 
>> Corrected Text
>> --------------
>> DNAME redirects can be used to amplify the impact of successfully spoofing a
>> single DNS response. An attacker can generate an arbitrary query name in the
>> form of "$random.example." and simultaneously try to spoof a response. The
>> "$random" label provides the attacker with an unlimited number of spoof
>> attempts. A successful spoofing can include a DNAME RR with a QNAME's parent
>> name. Such a spoofed RR can redirect the whole parent zone to a malicious
>> target, or create a resolution loop.
>> 
>> Consumers of DNS responses might consider the trustworthiness of DNAME RRs: Are
>> they DNSSEC-secure? Were they received via a non-spoofable transport (TCP, TLS,
>> UDP with DNS cookies, etc.)? Depending on security posture, consumers might
>> choose to not use untrustworthy DNAME RRs, or choose to re-query using a secure
>> transport like TCP.
>> 
>> 
>> Notes
>> -----
>> I believe Security Considerations should mention higher risk associated with DNAME spoofing. Hardening described in the proposed text was deployed as (part of) fix for CVE-2025-40778 in BIND 9.
>> 
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". (If it is spam, it
>> will be removed shortly by the RFC Production Center.) Please
>> use "Reply All" to discuss whether it should be verified or
>> rejected. When a decision is reached, the verifying party
>> will log in to change the status and edit the report, if necessary.
>> 
>> --------------------------------------
>> RFC6672 (draft-ietf-dnsext-rfc2672bis-dname-26)
>> --------------------------------------
>> Title               : DNAME Redirection in the DNS
>> Publication Date    : June 2012
>> Author(s)           : S. Rose, W. Wijngaards
>> Category            : PROPOSED STANDARD
>> Source              : DNS Extensions
>> Stream              : IETF
>> Verifying Party     : IESG
> 
> _______________________________________________
> dnsext mailing list -- dnsext@ietf.org
> To unsubscribe send an email to dnsext-leave@ietf.org

v2.38.3 | Report a Bug | By Email | System Status