RFC4034 6.2 item 3
"Olaf M. Kolkman" <olaf@NLnetLabs.nl> Sat, 10 March 2007 09:34 UTC
Return-path: <owner-namedroppers@ops.ietf.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HPxyF-0004hh-F4; Sat, 10 Mar 2007 04:34:35 -0500
Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HPxyB-0008S0-23; Sat, 10 Mar 2007 04:34:35 -0500
Received: from majordom by psg.com with local (Exim 4.63 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1HPxr0-000Odu-5t for namedroppers-data@psg.com; Sat, 10 Mar 2007 09:27:06 +0000
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.1.7
Received: from [213.154.224.1] (helo=open.nlnetlabs.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63 (FreeBSD)) (envelope-from <olaf@NLnetLabs.nl>) id 1HPxqx-000OdZ-5f for namedroppers@ops.ietf.org; Sat, 10 Mar 2007 09:27:05 +0000
Received: from [127.0.0.1] (open.nlnetlabs.nl [213.154.224.1]) by open.nlnetlabs.nl (8.13.8/8.13.8) with ESMTP id l2A9Qs3W066785 for <namedroppers@ops.ietf.org>; Sat, 10 Mar 2007 10:26:54 +0100 (CET) (envelope-from olaf@NLnetLabs.nl)
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Transfer-Encoding: 7bit
Message-Id: <040FB311-41B3-4906-8593-F56E26E8C835@NLnetLabs.nl>
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="Apple-Mail-37--209402984"
To: IETF DNSEXT WG <namedroppers@ops.ietf.org>
From: "Olaf M. Kolkman" <olaf@NLnetLabs.nl>
Subject: RFC4034 6.2 item 3
Date: Sat, 10 Mar 2007 10:26:48 +0100
X-Pgp-Agent: GPGMail 1.1.2 (Tiger)
X-Mailer: Apple Mail (2.752.2)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-id: DNSEXT discussion <namedroppers.ops.ietf.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5011df3e2a27abcc044eaa15befcaa87
Dear Colleagues, We recently discovered an interoperability problem that can be argued to be a protocol bug or an editing error. A popular zone signer and its corresponding validator implementation does not lowercase the next domain name in the RDATA, while according to RFC4034 section 6.2 item 3 that should be done. The bug was discovered when NSD was deployed as a one of the servers in an authoritative server cloud. During the zone transfer NSD 'lowercases the NSEC RDATA' and starts to hand out different NSEC RDATA then was used for input. One could argue that NSEC is listed in item 3 of section 6.2 in 4034 in error: The original NSEC specification (RFC3845) does not contain rules to make NSEC canonical and therefore the default was to use the RFC3597 (Unknown RRs) behavior. RFC3597 does not list. On the other hand one could argue that when the NSEC is a 'carbon copy' of the NXT RR and therefore RFC3597 behavior should have applied and not mentioning the requirement to lowercase the dname before signature creation in RFC3845 was an error. Besides, the RFC35977 case preservation is (most) relevant for implementations of DNSSEC validation code but those are also the ones that must have detailed knowledge of the NSEC RR so IMHO the deviation of 4034 of 3597 should in theory not have caused problems. One of the argument to lower-case the data before signing is that the _information_ you want to transport with the NSEC RR is the _canonical_ ordering in which casing is irrelevant. There is one practical example, a bit far fetched, where not lowercasing the dname before signing can hurt you: Assume two sites that AXFR data between them (AXFR does not guarantee casing of onwer names to be preserved). Both dynamically generate NSECs and sign then dynamically. Now we have the case that for one zone the RRSIGs for the NSECs data generated by one server (which is exactly the same as for the other, except for the casing) cannot be used to validate the NSEC RRset of the other. A bit construed, but still. I also understand there is an installed-base argument that weighs heavily for saying that 4034 is in error: At this moment there are implementations that take a different interpretation. I think it is fair to say that the signer and validator with the largest deployment base treat the data as case sensitive. Because of the argument that it is the information in the NSEC that matters, the protocol geek in me has a slight preference for the interpretation as in 4034, it is cleaner protocol wise. Practically I want to have this fixed ASAP and the least disruptive way is to scrap NSEC from the above mentioned item 3 in 6.2 of 4034 and to have NLnet Labs patch NSD. It is important that the working group chooses a position fast. I leave it to Olafur to judge consensus. The result should go into draft-ietf-dnsext-dnssec-updates. --Olaf ----------------------------------------------------------- Olaf M. Kolkman NLnet Labs http://www.nlnetlabs.nl/
- RFC4034 6.2 item 3 Olaf M. Kolkman