[dnsext] [Technical Errata Reported] RFC6672 (8677)
RFC Errata System <rfc-editor@rfc-editor.org> Fri, 12 December 2025 15:55 UTC
Return-Path: <wwwrun@rfcpa.rfc-editor.org>
X-Original-To: dnsext@ietf.org
Delivered-To: dnsext@mail2.ietf.org
Received: from rfcpa.rfc-editor.org (unknown [167.172.21.234]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 17E5E99AB611; Fri, 12 Dec 2025 07:55:56 -0800 (PST)
Received: by rfcpa.rfc-editor.org (Postfix, from userid 461) id DF41CC000CC9; Fri, 12 Dec 2025 07:55:55 -0800 (PST)
To: scott.rose@nist.gov, wouter@nlnetlabs.nl, ek.ietf@gmail.com, evyncke@cisco.com, ogud@ogud.com, ajs@anvilwalrusden.com
From: RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20251212155555.DF41CC000CC9@rfcpa.rfc-editor.org>
Date: Fri, 12 Dec 2025 07:55:55 -0800
Message-ID-Hash: LT2LVDP3S7UN5R5KUQUF4ATEZ36AVTNZ
X-Message-ID-Hash: LT2LVDP3S7UN5R5KUQUF4ATEZ36AVTNZ
X-MailFrom: wwwrun@rfcpa.rfc-editor.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsext@ietf.org, rfc-editor@rfc-editor.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [dnsext] [Technical Errata Reported] RFC6672 (8677)
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/OO5sH2i4McpPimDbRsV1qqDIVB0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Owner: <mailto:dnsext-owner@ietf.org>
List-Post: <mailto:dnsext@ietf.org>
List-Subscribe: <mailto:dnsext-join@ietf.org>
List-Unsubscribe: <mailto:dnsext-leave@ietf.org>
The following errata report has been submitted for RFC6672, "DNAME Redirection in the DNS". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid8677 -------------------------------------- Type: Technical Reported by: Petr Špaček <pspacek@isc.org> Section: 8 Original Text ------------- <missing text> Corrected Text -------------- DNAME redirects can be used to amplify the impact of successfully spoofing a single DNS response. An attacker can generate an arbitrary query name in the form of "$random.example." and simultaneously try to spoof a response. The "$random" label provides the attacker with an unlimited number of spoof attempts. A successful spoofing can include a DNAME RR with a QNAME's parent name. Such a spoofed RR can redirect the whole parent zone to a malicious target, or create a resolution loop. Consumers of DNS responses might consider the trustworthiness of DNAME RRs: Are they DNSSEC-secure? Were they received via a non-spoofable transport (TCP, TLS, UDP with DNS cookies, etc.)? Depending on security posture, consumers might choose to not use untrustworthy DNAME RRs, or choose to re-query using a secure transport like TCP. Notes ----- I believe Security Considerations should mention higher risk associated with DNAME spoofing. Hardening described in the proposed text was deployed as (part of) fix for CVE-2025-40778 in BIND 9. Instructions: ------------- This erratum is currently posted as "Reported". (If it is spam, it will be removed shortly by the RFC Production Center.) Please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party will log in to change the status and edit the report, if necessary. -------------------------------------- RFC6672 (draft-ietf-dnsext-rfc2672bis-dname-26) -------------------------------------- Title : DNAME Redirection in the DNS Publication Date : June 2012 Author(s) : S. Rose, W. Wijngaards Category : PROPOSED STANDARD Source : DNS Extensions Stream : IETF Verifying Party : IESG
- [dnsext] [Technical Errata Reported] RFC6672 (867… RFC Errata System
- [dnsext] Re: [Technical Errata Reported] RFC6672 … Paul Hoffman
- [dnsext] Re: [Technical Errata Reported] RFC6672 … Olafur Gudmundsson
- [dnsext] Re: [Technical Errata Reported] RFC6672 … Petr Špaček