[dnsext] Issue with RFC 4034, section 3 and section 4
Edward Lewis <Ed.Lewis@neustar.biz> Fri, 31 July 2009 21:16 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 82E9C3A6D2B; Fri, 31 Jul 2009 14:16:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.495
X-Spam-Level:
X-Spam-Status: No, score=-1.495 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, GB_I_LETTER=-2, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OSoSNZRCWdE1; Fri, 31 Jul 2009 14:16:36 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 8B1D73A6CCD; Fri, 31 Jul 2009 14:16:36 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1MWzOz-000ChV-4w for namedroppers-data0@psg.com; Fri, 31 Jul 2009 21:12:33 +0000
Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <Ed.Lewis@neustar.biz>) id 1MWzOs-000Cgr-N3 for namedroppers@ops.ietf.org; Fri, 31 Jul 2009 21:12:30 +0000
Received: from [10.31.200.165] (ns.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n6VLCM68025711; Fri, 31 Jul 2009 17:12:22 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Mime-Version: 1.0
Message-Id: <a06240800c698e34372b3@[10.31.200.165]>
Date: Fri, 31 Jul 2009 17:12:12 -0400
To: namedroppers@ops.ietf.org
From: Edward Lewis <Ed.Lewis@neustar.biz>
Subject: [dnsext] Issue with RFC 4034, section 3 and section 4
Cc: ed.lewis@neustar.biz
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
I'm doing a review of RFC 4034 and found something I'm concerned about. Not a protocol issue but a specification issue. Section 3 The RRSIG Resource Record 3rd paragraph reads: # Because every authoritative RRset in a zone must be protected by a # digital signature, RRSIG RRs must be present for names containing a # CNAME RR. This is a change to the traditional DNS specification # [RFC1034], which stated that if a CNAME is present for a name, it is # the only type allowed at that name. A RRSIG and NSEC (see Section 4) # MUST exist for the same name as a CNAME resource record in a signed # zone. The text I am concerned about is "RRSIG RRs must be present for names containing a CNAME RR." My concern is over the word "containing" with DNAME's CNAME-synthesis in the back of my mind. I'd suggest a clarification be made (and carried in any appropriate document vehicle) to say: ..., even an explicitly defined CNAME RR(set) MUST have an a set of associated RRSIG(s). ("Explicitly defined" excludes CNAME RRsets that result from a wild card synthesis [RFC4592] or DNAME synthesis [RFC2672/bis].) Note that in the orginal text, "must" is not capitalized. I am supposing that is due to an editorial oversight. 4. The NSEC Resource Record 2nd paragraph reads: # Because every authoritative name in a zone must be part of the NSEC # chain, NSEC RRs must be present for names containing a CNAME RR. # This is a change to the traditional DNS specification [RFC1034], # which stated that if a CNAME is present for a name, it is the only # type allowed at that name. An RRSIG (see Section 3) and NSEC MUST # exist for the same name as does a CNAME resource record in a signed # zone. Again, "must" appears in small letters. The text that needs to be cleaned up is "An RRSIG (see Section 3) and NSEC MUST exist for the same name as does a CNAME resource record in a signed zone." But in this case, the clean up is not so important. Bearing in mind 4034 predates 5155 and any update won't: Domain names that own an explicit CNAME (excluding synthesized as a result of a wild card or DNAME) MUST have an NSEC RRset and its associated RRSIG (see section 3) records, if the zone uses NSEC-style negative answers. Editorial note to that: 1, we have to define "NSEC-style negative answers" in a glossary as "a configuration of DNSSEC in which a zone uses NSEC records whenever a negative result is needed to be expressed" - as opposed to NSEC3-style which has to expand the definition to treat opt-out. 2, The text does not mention NSEC3 because NSEC3 would be owned by a hash name, not a name with CNAME unless the hash name manages to be a name that would have a CNAME. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 As with IPv6, the problem with the deployment of frictionless surfaces is that they're not getting traction. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- [dnsext] Issue with RFC 4034, section 3 and secti… Edward Lewis