[dnsext] [Errata Verified] RFC5702 (7090)
RFC Errata System <rfc-editor@rfc-editor.org> Fri, 26 August 2022 19:34 UTC
Return-Path: <wwwrun@rfcpa.amsl.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4CF9C14F73D; Fri, 26 Aug 2022 12:34:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.959
X-Spam-Level:
X-Spam-Status: No, score=-3.959 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TK-VblkSfk6Q; Fri, 26 Aug 2022 12:34:11 -0700 (PDT)
Received: from rfcpa.amsl.com (rfc-editor.org [50.223.129.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D6DDC14CE41; Fri, 26 Aug 2022 12:34:10 -0700 (PDT)
Received: by rfcpa.amsl.com (Postfix, from userid 499) id C020E55EDD; Fri, 26 Aug 2022 12:34:10 -0700 (PDT)
To: peter.van.dijk@powerdns.com, jelte@NLnetLabs.nl
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: warren@kumari.net, iesg@ietf.org, dnsext@ietf.org, iana@iana.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20220826193410.C020E55EDD@rfcpa.amsl.com>
Date: Fri, 26 Aug 2022 12:34:10 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/XguPsGvIJZLh-AorgVdE6hLuXqA>
Subject: [dnsext] [Errata Verified] RFC5702 (7090)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Aug 2022 19:34:14 -0000
The following errata report has been verified for RFC5702, "Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid7090 -------------------------------------- Status: Verified Type: Technical Reported by: Peter van Dijk <peter.van.dijk@powerdns.com> Date Reported: 2022-08-15 Verified by: Warren Kumari (Ops AD) (IESG) Section: 8.2 Original Text ------------- 8.2. Signature Type Downgrade Attacks Since each RRSet MUST be signed with each algorithm present in the DNSKEY RRSet at the zone apex (see Section 2.2 of [RFC4035]), a malicious party cannot filter out the RSA/SHA-2 RRSIG and force the validator to use the RSA/SHA-1 signature if both are present in the zone. This should provide resilience against algorithm downgrade attacks, if the validator supports RSA/SHA-2. Corrected Text -------------- [none] Notes ----- The section is incorrect in its entirety. Although the requirement on signers does exist, there is no related requirement for validators to check that all signature algorithms are present. RFC6840 5.11 (which I do realise is newer than RFC5702) re-states this explicitly, where RFC4035 merely implied this distinction. -------------------------------------- RFC5702 (draft-ietf-dnsext-dnssec-rsasha256-14) -------------------------------------- Title : Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC Publication Date : October 2009 Author(s) : J. Jansen Category : PROPOSED STANDARD Source : DNS Extensions Area : Internet Stream : IETF Verifying Party : IESG
- [dnsext] [Errata Verified] RFC5702 (7090) RFC Errata System