Return-Path: X-Original-To: dnsext@mail2.ietf.org Delivered-To: dnsext@mail2.ietf.org Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B2C8F9A98B35 for ; Mon, 15 Dec 2025 00:31:13 -0800 (PST) X-Virus-Scanned: amavisd-new at ietf.org X-Spam-Flag: NO X-Spam-Score: -4.399 X-Spam-Level: X-Spam-Status: No, score=-4.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="fGr25+Zj"; dkim=pass (1024-bit key) header.d=isc.org header.b="ALA0AY9f" Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bJhy1lhqPCFr for ; Mon, 15 Dec 2025 00:31:12 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 1AFEF9A98A65 for ; Mon, 15 Dec 2025 00:31:10 -0800 (PST) Received: from zimbra10.isc.org (zimbra10.isc.org [149.20.2.90]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id E83124E40D5; Mon, 15 Dec 2025 08:31:02 +0000 (UTC) ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org E83124E40D5 Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.90 ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1765787463; cv=none; b=bPRnRC218DIhaKEp50NaEcjiRvj0Q+gb6hzbWKib7UFifo9PZmlT1ZEvpI1s8ngm7nC7rvwMdDoF0nBti8fWsJYKYwDjg9YDoUnAB0DnRAPAlx7knZ6DNq3TvoVRNrpfiOxyLlEtTOw8ltBFWAkvVzcFgm3B9a7u1aIz7ngTCTw= ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1765787463; c=relaxed/relaxed; bh=OdaWDyit8C4XXRodHop+fChSQl+HsSDi225EIaBl4NU=; h=DKIM-Signature:DKIM-Signature:Message-ID:Date:MIME-Version: Subject:To:From; b=MKZ2xv1cb7/boUGbB2pgxpSe9bFEWRRVpJfje5J2WHjHmYfhh0l1hFp+BOSCLFVDNVNTgQ09AdwE6x/znxmlF6gD7t6WnzG5XJ6TrQ8Z7DsVOQXQvmMbJteBaBaplCVwXQ0tWejHu8N+irgiQrXjYbMK4RbZI+hxFl1RlZs8b4o= ARC-Authentication-Results: i=1; mx.pao1.isc.org DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org E83124E40D5 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1765787462; bh=5vPWfeaMtoqoWegiXi9b8tHWapMLhZqT5SSkF1HZerw=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=fGr25+Zjd87E6IMp3b88HA2gWy/hXzdQFiy1JoYb8dPaSDIJ+OUSGhkvpuKOKWGvI FSshllt6ecchTAxFOfOKsp2bV4fG9+hyjT7IHgizgNyRQ++3tnMMPdPsraPnIbJO1F b5h6+KwA96Q3UBh7HUARIwvn1tDIxZATvMwf111g= Received: from zimbra10.isc.org (localhost [127.0.0.1]) by zimbra10.isc.org (Postfix) with ESMTPS id E1EA92E6025C; Mon, 15 Dec 2025 08:31:02 +0000 (UTC) Received: from zimbra10.isc.org (localhost [127.0.0.1]) by zimbra10.isc.org (Postfix) with ESMTPS id D247A2E602A1; Mon, 15 Dec 2025 08:31:02 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.10.3 zimbra10.isc.org D247A2E602A1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1765787462; bh=OdaWDyit8C4XXRodHop+fChSQl+HsSDi225EIaBl4NU=; h=Message-ID:Date:MIME-Version:To:From; b=ALA0AY9fsm0QBHO+eFCP25hmQyYf2sHkaohkaX0t8q2jMKnevOrKU1GKREP6xZtyH hjanCUREGYkMknfAoN3rzGZcyjWBsOGwZaK7gPJ/avuwMKljlhkkxMVUsS+gvJIKZS FvW0TSg+N/75Pkof+s+osPlnjj0LomVSK9RA3PJo= Received: from [192.168.35.197] (ip-86-49-241-95.bb.vodafone.cz [86.49.241.95]) by zimbra10.isc.org (Postfix) with ESMTPSA id 77F4E2E6025C; Mon, 15 Dec 2025 08:31:01 +0000 (UTC) Message-ID: <3855054a-08e4-4ec6-9c51-97826003ad10@isc.org> Date: Mon, 15 Dec 2025 09:30:59 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: Olafur Gudmundsson , Paul Hoffman References: <20251212155555.DF41CC000CC9@rfcpa.rfc-editor.org> <74055991-5D57-4F3F-BF64-7AD22AC569B4@ogud.com> From: =?UTF-8?B?UGV0ciDFoHBhxI1law==?= Content-Language: en-US Autocrypt: addr=pspacek@isc.org; keydata= xsFNBF/OJ/4BEAC0jP/EShRZtcI9KmzVK4IoD/GEDtcaNEEQzPt05G8xtC0P4uteXUwW8jaB CdcKIKR4eUJw3wdXXScLNlyh0i+gm5mIvKPrBYNAMOGGnkbAmMQOt9Q+TyGeTSSGiAjfvd/N nYg7L/KjVbG0sp6pAWVORMpR0oChHflzKSjvJITCGdpwagxSffU2HeWrLN7ePES6gPbtZ8HY KHUqjWZQsXLkMFw4yj8ZXuGarLwdBMB7V/9YHVkatJPjTsP8ZE723rV18iLiMvBqh4XtReEP 0vGQgiHnLnKs+reDiFy0cSOG0lpUWVGI50znu/gBuZRtTAE0LfMa0oAYaq997Y4k+na6JvHK hhaZMy82cD4YUa/xNnUPMXJjkJOBV4ghz/58GiT32lj4rdccjQO4zlvtjltjp9MTOFbRNI+I FCf9bykANotR+2BzttYKuCcred+Q7+wSDp9FQDdpUOiGnzT8oQukOuqiEh3J8hinHPGhtovH V22D0cU6T/u9mzvYoULhExPvXZglCLEuM0dACtjVsoyDkFVnTTupaPVuORgoW7nyNl0wDrII ILBqUBwzCdhQpYnyARSjx0gWSG1AQBKkk5SHQBqi1RAYC38M59SkpH0IKj+SaZbUJnuqshXh UIbY1GMHbW/GDhz7pNQFFYm2S4OPUBcmh/0O0Osma151/HjF7wARAQABzR9QZXRyIMWgcGHE jWVrIDxwc3BhY2VrQGlzYy5vcmc+wsGXBBMBCABBAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B AheAAhkBFiEEEVO2++xeDVoSYmDzq9WHzfBlga4FAmkt8P0FCQtoiX8ACgkQq9WHzfBlga4m OxAAhBZyC7vnxl3kjFPFRT39ocbZy1jJX4fiaJmiIgKma06c9Eled/w2IN9pzRc0+iI6jSQa 40NfHFV8g2KZfZUNEVE3BOliWdEFi61OcwxB/UeryGDJUFYfK4un7ibYv4Rzvrfpz13aQ0/z MVm2HA3OVwkTqnK+dJL//d3AmED66oJKUFXU9tG5kUGNqbVrZNSiegZXC/TloO0+eYYN63Fm EHvWE20NcgdciG4y/pdtBXcWSwt21tSeqiZqN5L8LvfAGmJ1gdi6p4eHvPEH1WSOqUEZmy5l +5BE6xA2z4bfNpCYSir6GwFTOQwxHeekLKJktgsLjYY8oHbmPjIIdEzkcV8dD8czJEPo0sqe VB4qTun8cCE4AkVofpo5MMwni/3DLlm9bgV8tKJ3sAqwo6bEWk8dU9QqlcwiYb5S1KPbWrwO 89cIJNLIu9rO3nemWFDwNq6mFuNdNWSDciLV434P5xZ0y5Xy09n5dGhCgYZTRv1JTLmXEO+H aw6iRgLNZmImYB0VpoPPHBjIavsY211qyLIwDRaUykELhGaBk7P1zKhC91ZD866CbR3x6ptv EuFuJ2myZT1dIalWiFf0HaVhrMHm8y8ih1sn9Ezdxnle7Hxyjgp//CtM92GCjU8iuqYQOzNq B9LWBU6NTtGx5Tktf2/Vin2ADqiiVN1EDOQd9tvOwU0EX84n/gEQANARNXihDNc1fLNFZK5s O14Yg2TouK9eo9gGh4yLSrmZ3pjtnuJSpTWmGD4g0EYzhwWA/T+CqjUnrhsvzLQ1ECYVqLpM VqK2OJ9PhLRbx1ITd4SKO/0xvXFkUqDTIF6a5mUCXH5DzTQGSmJwcjoRv3ye+Z1lDzOKJ+Qr gDHM2WLGlSZAVGcUeD1S2Mp/FroNOjGzrFXsUhOBNMo8PSC4ap0ZgYeVBq5aiMaQex0r+uM4 45S1z5N2nkNRYlUARkfKirqQxJ4mtj5XPC/jtdaUiMzvnwcMmLAwPlDNYiU0kO5IqJFBdzmJ yjzomVk1zK9AYS/woeIxETs+s6o7qXtMGGIoMWr6pirpHk4Wgp4TS02BSTSmNzParrFxLpEU dFKq3M0IsBCVGvfNgWL2pKKQVq34fwuBhJFQAigR9B3O9mfaeejrqt73Crp0ng0+Q74+Llzj EIJLOHYTMISTJyxYzhMCQlgPkKoj+TSVkRzBZoYFkUt4OXvlFj73wkeqeF8Z1YWoOCIjwXH9 0u2lPEq0cRHHyK+KSeH1zQJ4xgj0QDGPmkvi81D13sRaaNu3uSfXEDrdYYc+TSZd2bVh2VCr xrcfzQ1uz9fsdC9NPdNd7/mHvcAaNc5e9IhNh67L54aMBkzlJi18d0sWXOOHkyLSvbHnC/OP wv7qCf69PUJmtoeHABEBAAHCwXwEGAEIACYCGwwWIQQRU7b77F4NWhJiYPOr1YfN8GWBrgUC aS3xCAUJC2iJigAKCRCr1YfN8GWBrgJJD/4oabL/T67M7GNPB1Q+1ghSpi3LJEwDqeaULNZv 2exo7N59cChW5DXD5e/rkvQM7yOsaKJBwkpjY2+vk4+Tw9iU1iqzS0iavr9A3i9mHJjlp4it u6oDBHCGMqBGZHHGP4O9xPuIoW6s50yP31NLbIGP4KGD03S1JtOBrETlTyr6a0mN4HrRnAkz nOa2l7npRvgkRpdr/vDmbAkyZYXcUCQSWsOKzRrcCrqRxzF7Ob39Xw+SrPv7hMBShzOVJCj6 XwOsu+F/hmRK5TML8+yZ+wGbrcTyxJ8qkKtwtDJXPMVY993f1k50/bquRdjX5wHTthvf6o9A 2cmZtbL0fVm2KEWNV3xDk52cJj7MqBk1M/mj1q8+6UzN9hTxN0N77u1sosgguW/8PWu/v2yy kUs2huxaqDkdrPc6kKuKbCGpkT5/89S6gvQSNx5IlVl0uWzJRat1h9HkdkO0CBYRX51Rv33W BF4qJ73o2dfrUchs70rher6734c21z8DUhDkvnPGIgLh4tYrYHNcM4akBTUt9k38xMGrj6yo kRjP6Pq9jhLwJBxxBRDEXn3vse8uy1s1sp9rhBxSS7bEHfmyz71h6ccALCFBlBzqfMediCAE 0PEMOPrXM0NU+o25vNC8BuWWpPf+fzvkLf+sEyYcIdwbHZ/V2qv97JvYX0FpMwmeyw4O2g== In-Reply-To: <74055991-5D57-4F3F-BF64-7AD22AC569B4@ogud.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Message-ID-Hash: T5S72ATQPOD2UYGAFQA4VQKDZ6CCKRDU X-Message-ID-Hash: T5S72ATQPOD2UYGAFQA4VQKDZ6CCKRDU X-MailFrom: pspacek@isc.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: RFC Errata System , Scott Rose , ek.ietf@gmail.com, Eric Vyncke , dnsext@ietf.org X-Mailman-Version: 3.3.9rc6 Precedence: list Subject: =?utf-8?q?=5Bdnsext=5D_Re=3A_=5BTechnical_Errata_Reported=5D_RFC6672_=288677?= =?utf-8?q?=29?= List-Id: DNS Extensions working group discussion list Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Of course I'm fine with "hold for update". If there was a bug tracker for RFCs I would use that, but to the best of my knowledge errata process is closest we have, so here we go. IMHO better than relying on the 'tribal knowledge' as Warren puts it. Petr Špaček Internet Systems Consortium On 13. 12. 25 5:02, Olafur Gudmundsson wrote: > I agree with Paul this is not an error but a warning about abuse, we can not update RFC every time someone thinks of a possible “misuse” > Olafur > > >> On Dec 12, 2025, at 13:03, Paul Hoffman wrote: >> >> This is not actually an erratum (given that it is for "missing text"), it is a plea to start an update to RFC 6672, which already has errata. It should be marked as "hold for update" so that it is remembered when someone updates RFC 6672. >> >> --Paul Hoffman >> >> On 12 Dec 2025, at 7:55, RFC Errata System wrote: >> >>> The following errata report has been submitted for RFC6672, >>> "DNAME Redirection in the DNS". >>> >>> -------------------------------------- >>> You may review the report below and at: >>> https://www.rfc-editor.org/errata/eid8677 >>> >>> -------------------------------------- >>> Type: Technical >>> Reported by: Petr Špaček >>> >>> Section: 8 >>> >>> Original Text >>> ------------- >>> >>> >>> Corrected Text >>> -------------- >>> DNAME redirects can be used to amplify the impact of successfully spoofing a >>> single DNS response. An attacker can generate an arbitrary query name in the >>> form of "$random.example." and simultaneously try to spoof a response. The >>> "$random" label provides the attacker with an unlimited number of spoof >>> attempts. A successful spoofing can include a DNAME RR with a QNAME's parent >>> name. Such a spoofed RR can redirect the whole parent zone to a malicious >>> target, or create a resolution loop. >>> >>> Consumers of DNS responses might consider the trustworthiness of DNAME RRs: Are >>> they DNSSEC-secure? Were they received via a non-spoofable transport (TCP, TLS, >>> UDP with DNS cookies, etc.)? Depending on security posture, consumers might >>> choose to not use untrustworthy DNAME RRs, or choose to re-query using a secure >>> transport like TCP. >>> >>> >>> Notes >>> ----- >>> I believe Security Considerations should mention higher risk associated with DNAME spoofing. Hardening described in the proposed text was deployed as (part of) fix for CVE-2025-40778 in BIND 9. >>> >>> Instructions: >>> ------------- >>> This erratum is currently posted as "Reported". (If it is spam, it >>> will be removed shortly by the RFC Production Center.) Please >>> use "Reply All" to discuss whether it should be verified or >>> rejected. When a decision is reached, the verifying party >>> will log in to change the status and edit the report, if necessary. >>> >>> -------------------------------------- >>> RFC6672 (draft-ietf-dnsext-rfc2672bis-dname-26) >>> -------------------------------------- >>> Title : DNAME Redirection in the DNS >>> Publication Date : June 2012 >>> Author(s) : S. Rose, W. Wijngaards >>> Category : PROPOSED STANDARD >>> Source : DNS Extensions >>> Stream : IETF >>> Verifying Party : IESG >> >> _______________________________________________ >> dnsext mailing list -- dnsext@ietf.org >> To unsubscribe send an email to dnsext-leave@ietf.org > > _______________________________________________ > dnsext mailing list -- dnsext@ietf.org > To unsubscribe send an email to dnsext-leave@ietf.org -- Petr Špaček