[dnsext] Issue with RFC 4034, section 3 and section 4
Edward Lewis <Ed.Lewis@neustar.biz> Fri, 31 July 2009 21:16 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 82E9C3A6D2B; Fri, 31 Jul 2009 14:16:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.495
X-Spam-Level:
X-Spam-Status: No, score=-1.495 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, GB_I_LETTER=-2, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OSoSNZRCWdE1; Fri, 31 Jul 2009 14:16:36 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 8B1D73A6CCD; Fri, 31 Jul 2009 14:16:36 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1MWzOz-000ChV-4w for namedroppers-data0@psg.com; Fri, 31 Jul 2009 21:12:33 +0000
Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <Ed.Lewis@neustar.biz>) id 1MWzOs-000Cgr-N3 for namedroppers@ops.ietf.org; Fri, 31 Jul 2009 21:12:30 +0000
Received: from [10.31.200.165] (ns.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n6VLCM68025711; Fri, 31 Jul 2009 17:12:22 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Mime-Version: 1.0
Message-Id: <a06240800c698e34372b3@[10.31.200.165]>
Date: Fri, 31 Jul 2009 17:12:12 -0400
To: namedroppers@ops.ietf.org
From: Edward Lewis <Ed.Lewis@neustar.biz>
Subject: [dnsext] Issue with RFC 4034, section 3 and section 4
Cc: ed.lewis@neustar.biz
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
I'm doing a review of RFC 4034 and found something I'm concerned
about. Not a protocol issue but a specification issue.
Section 3 The RRSIG Resource Record
3rd paragraph reads:
# Because every authoritative RRset in a zone must be protected by a
# digital signature, RRSIG RRs must be present for names containing a
# CNAME RR. This is a change to the traditional DNS specification
# [RFC1034], which stated that if a CNAME is present for a name, it is
# the only type allowed at that name. A RRSIG and NSEC (see Section 4)
# MUST exist for the same name as a CNAME resource record in a signed
# zone.
The text I am concerned about is "RRSIG RRs must be present for names
containing a CNAME RR." My concern is over the word "containing"
with DNAME's CNAME-synthesis in the back of my mind.
I'd suggest a clarification be made (and carried in any appropriate
document vehicle) to say:
..., even an explicitly defined CNAME RR(set) MUST have an a set of
associated RRSIG(s). ("Explicitly defined" excludes CNAME RRsets that
result from a wild card synthesis [RFC4592] or DNAME synthesis
[RFC2672/bis].)
Note that in the orginal text, "must" is not capitalized. I am
supposing that is due to an editorial oversight.
4. The NSEC Resource Record
2nd paragraph reads:
# Because every authoritative name in a zone must be part of the NSEC
# chain, NSEC RRs must be present for names containing a CNAME RR.
# This is a change to the traditional DNS specification [RFC1034],
# which stated that if a CNAME is present for a name, it is the only
# type allowed at that name. An RRSIG (see Section 3) and NSEC MUST
# exist for the same name as does a CNAME resource record in a signed
# zone.
Again, "must" appears in small letters. The text that needs to be
cleaned up is "An RRSIG (see Section 3) and NSEC MUST exist for the
same name as does a CNAME resource record in a signed zone." But in
this case, the clean up is not so important.
Bearing in mind 4034 predates 5155 and any update won't:
Domain names that own an explicit CNAME (excluding synthesized as a
result of a wild card or DNAME) MUST have an NSEC RRset and its
associated RRSIG (see section 3) records, if the zone uses NSEC-style
negative answers.
Editorial note to that: 1, we have to define "NSEC-style negative
answers" in a glossary as "a configuration of DNSSEC in which a zone
uses NSEC records whenever a negative result is needed to be
expressed" - as opposed to NSEC3-style which has to expand the
definition to treat opt-out. 2, The text does not mention NSEC3
because NSEC3 would be owned by a hash name, not a name with CNAME
unless the hash name manages to be a name that would have a CNAME.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar You can leave a voice message at +1-571-434-5468
As with IPv6, the problem with the deployment of frictionless surfaces is
that they're not getting traction.
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>
- [dnsext] Issue with RFC 4034, section 3 and secti… Edward Lewis