Re: [dnsext] [Technical Errata Reported] RFC4592 (5119)

Mark Andrews <marka@isc.org> Fri, 22 September 2017 03:56 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6ED7B1320DC for <dnsext@ietfa.amsl.com>; Thu, 21 Sep 2017 20:56:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LFXRwTVScjWW for <dnsext@ietfa.amsl.com>; Thu, 21 Sep 2017 20:56:35 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F711126DD9 for <dnsext@ietf.org>; Thu, 21 Sep 2017 20:56:35 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id E71CE349666; Fri, 22 Sep 2017 03:56:03 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id C2BE4160076; Fri, 22 Sep 2017 03:56:03 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 9798816007C; Fri, 22 Sep 2017 03:56:03 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id QfTVj5d4Tmbw; Fri, 22 Sep 2017 03:56:03 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id F2D3E160076; Fri, 22 Sep 2017 03:56:02 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 5C31987A1BBB; Fri, 22 Sep 2017 13:56:00 +1000 (AEST)
To: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: ed.lewis@neustar.biz, suresh.krishnan@gmail.com, terry.manderson@icann.org, ogud@ogud.com, ajs@anvilwalrusden.com, K.Koymans@uva.nl, dnsext@ietf.org
From: Mark Andrews <marka@isc.org>
References: <20170921105406.C6A89B81F0B@rfc-editor.org>
In-reply-to: Your message of "Thu, 21 Sep 2017 03:54:06 -0700." <20170921105406.C6A89B81F0B@rfc-editor.org>
Date: Fri, 22 Sep 2017 13:56:00 +1000
Message-Id: <20170922035600.5C31987A1BBB@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/bwSGKLchayL9_bG5kVIa1awAmao>
Subject: Re: [dnsext] [Technical Errata Reported] RFC4592 (5119)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Sep 2017 03:56:37 -0000

Such NSEC records are identifiable as part of the validation processs
and can be flagged to be ignored as part of the synthesis process
and/or be stored with the original wildcard name.  As a aside named
saves validated wild card answers with their original wildcard name
so they can be found for data synthesis purposes.

I agree with Ed Lewis that this is not a problem with this RFC4592.

Mark

In message <20170921105406.C6A89B81F0B@rfc-editor.org>rg>, RFC Errata System writes
:
> The following errata report has been submitted for RFC4592,
> "The Role of Wildcards in the Domain Name System".
> 
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata/eid5119
> 
> --------------------------------------
> Type: Technical
> Reported by: Karst Koymans <K.Koymans@uva.nl>
> 
> Section: 4.7
> 
> Original Text
> -------------
> 4.7.  NSEC RRSet at a Wildcard Domain Name
> 
>    Wildcard domain names in DNSSEC signed zones will have an NSEC RRSet.
>    Synthesis of these records will only occur when the query exactly
>    matches the record.  Synthesized NSEC RRs will not be harmful as they
>    will never be used in negative caching or to generate a negative
>    response [RFC2308].
> 
> 
> Corrected Text
> --------------
> 4.7.  NSEC RRSet at a Wildcard Domain Name
> 
>    Wildcard domain names in DNSSEC signed zones will have an NSEC RRSet.
>    NSEC RRSets must not be synthesized from this wildcard NSEC.
> 
> Notes
> -----
> Synthesizing these records would destroy the semantics of the NSEC chain and c
> ould be very harmful if implementations would cache them and use them for "Agg
> ressive Use of DNSSEC-Validated Cache" (RFC 8198).
> 
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party  
> can log in to change the status and edit the report, if necessary. 
> 
> --------------------------------------
> RFC4592 (draft-ietf-dnsext-wcard-clarify-11)
> --------------------------------------
> Title               : The Role of Wildcards in the Domain Name System
> Publication Date    : July 2006
> Author(s)           : E. Lewis
> Category            : PROPOSED STANDARD
> Source              : DNS Extensions
> Area                : Internet
> Stream              : IETF
> Verifying Party     : IESG
> 
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org