Re: [dnsext] [Ext] [Technical Errata Reported] RFC5155 (4993)
Roy Arends <roy.arends@icann.org> Tue, 18 April 2017 18:45 UTC
Return-Path: <roy.arends@icann.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DED0F13144D for <dnsext@ietfa.amsl.com>; Tue, 18 Apr 2017 11:45:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9hQXh6DgmjAZ for <dnsext@ietfa.amsl.com>; Tue, 18 Apr 2017 11:45:04 -0700 (PDT)
Received: from out.west.pexch112.icann.org (pfe112-va-1.pexch112.icann.org [162.216.194.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91BFA130A94 for <dnsext@ietf.org>; Tue, 18 Apr 2017 11:45:04 -0700 (PDT)
Received: from PMBX112-E1-VA-2.pexch112.icann.org (162.216.194.26) by PMBX112-W1-VA-1.pexch112.icann.org (162.216.194.21) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 18 Apr 2017 11:45:01 -0700
Received: from PMBX112-E1-VA-2.pexch112.icann.org ([162.216.194.26]) by PMBX112-E1-VA-2.PEXCH112.ICANN.ORG ([162.216.194.26]) with mapi id 15.00.1178.000; Tue, 18 Apr 2017 11:45:01 -0700
From: Roy Arends <roy.arends@icann.org>
To: Ben Laurie <ben@links.org>, "geoff-s@panix.com" <geoff-s@panix.com>, Roy Arends <roy@nominet.org.uk>, "davidb@verisign.com" <davidb@verisign.com>, "suresh.krishnan@ericsson.com" <suresh.krishnan@ericsson.com>, Terry Manderson <terry.manderson@icann.org>, Olafur Gud <ogud@ogud.com>, "ajs@anvilwalrusden.com" <ajs@anvilwalrusden.com>
CC: "rfc-editor@rfc-editor.org" <rfc-editor@rfc-editor.org>, "dnsext@ietf.org" <dnsext@ietf.org>
Thread-Topic: [Ext] [dnsext] [Technical Errata Reported] RFC5155 (4993)
Thread-Index: AQHSuHPixi/yO1mgTk233fIFPh5wmQ==
Date: Tue, 18 Apr 2017 18:45:01 +0000
Message-ID: <6D38C6C1-0821-4129-ADE8-76C9F599E87C@icann.org>
References: <20170413161207.DB84EB80A47@rfc-editor.org> <A1B3B93F-14AB-4AA5-8CF8-959D316C90F1@vpnc.org>
In-Reply-To: <A1B3B93F-14AB-4AA5-8CF8-959D316C90F1@vpnc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.47.234]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <99F91246D4FC8746A4BCE4253031E296@pexch112.icann.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/c6-48hX43RLYqXFPdWlHtW_S8HY>
X-Mailman-Approved-At: Fri, 28 Apr 2017 06:06:35 -0700
Subject: Re: [dnsext] [Ext] [Technical Errata Reported] RFC5155 (4993)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2017 18:45:08 -0000
The erratum is incorrect. The hash value for ns1.example is explicitly used as an owner name for a regular record (2t7b4g4vsa5smi47k61mv5bv1a22bojr.example A 192.0.2.127) to show that a potential collision between the owner names and the hashed space has no impact. Roy > Forwarded message: > >> From: RFC Errata System <rfc-editor@rfc-editor.org> >> To: ben@links.org, geoff-s@panix.com, roy@nominet.org.uk, davidb@verisign.com, suresh.krishnan@ericsson.com, terry.manderson@icann.org, ogud@ogud.com, ajs@anvilwalrusden.com >> Cc: rfc-editor@rfc-editor.org, dnsext@ietf.org >> Subject: [dnsext] [Technical Errata Reported] RFC5155 (4993) >> Date: Thu, 13 Apr 2017 09:12:07 -0700 (PDT) >> >> The following errata report has been submitted for RFC5155, >> "DNS Security (DNSSEC) Hashed Authenticated Denial of Existence". >> >> -------------------------------------- >> You may review the report below and at: >> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rfc-2Deditor.org_errata-5Fsearch.php-3Frfc-3D5155-26eid-3D4993&d=DwIBAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=6rdmyw1VGzYGRLDSg4Nv6YlsOHnMB5FIzSs7DYirTNA&m=gWuOL6YbGLIJ7P7JlR4-OcptwWJsKAI9HfdjdCPIkbQ&s=ZvqiH08zLZs-opG3e6PfrhQu01cR5ADlM68SWCPfyFE&e= >> -------------------------------------- >> Type: Technical >> Reported by: Dick Franks <rwfranks@acm.org> >> >> Section: Appendix A >> >> Original Text >> ------------- >> ; H(example) = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom >> ; H(a.example) = 35mthgpgcu1qg68fab165klnsnk3dpvl >> ; H(ai.example) = gjeqe526plbf1g8mklp59enfd789njgi >> ; H(ns1.example) = 2t7b4g4vsa5smi47k61mv5bv1a22bojr >> ; H(ns2.example) = q04jkcevqvmu85r014c7dkba38o0ji5r >> ; H(w.example) = k8udemvp1j2f7eg6jebps17vp3n8i58h >> ; H(*.w.example) = r53bq7cc2uvmubfu5ocmm6pers9tk9en >> ; H(x.w.example) = b4um86eghhds6nea196smvmlo4ors995 >> ; H(y.w.example) = ji6neoaepv8b5o6k4ev33abha8ht9fgc >> ; H(x.y.w.example) = 2vptu5timamqttgl4luu9kg21e0aor3s >> ; H(xx.example) = t644ebqk9bibcna874givr6joj62mlhv >> - ; H(2t7b4g4vsa5smi47k61mv5bv1a22bojr.example) >> - ; = kohar7mbb8dc2ce8a9qvl8hon4k53uhi >> example. 3600 IN SOA ns1.example. bugs.x.w.example. 1 3600 300 ( >> 3600000 3600 ) >> NS ns1.example. >> NS ns2.example. >> MX 1 xx.example. >> DNSKEY 256 3 7 AwEAAaetidLzsKWUt4swWR8yu0wPHPiUi8LU ( >> sAD0QPWU+wzt89epO6tHzkMBVDkC7qphQO2h >> TY4hHn9npWFRw5BYubE= ) >> DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( >> j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 >> AbsUdblMFin8CVF3n4s= ) >> NSEC3PARAM 1 0 12 aabbccdd:1 >> 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( >> 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS >> SOA NSEC3PARAM RRSIG ) >> ! 2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. A 192.0.2.127 >> ! NSEC3 1 1 12 aabbccdd ( >> 2vptu5timamqttgl4luu9kg21e0aor3s A RRSIG ) >> 2vptu5timamqttgl4luu9kg21e0aor3s.example. NSEC3 1 1 12 aabbccdd ( >> 35mthgpgcu1qg68fab165klnsnk3dpvl MX RRSIG ) >> 35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd ( >> b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG ) >> a.example. NS ns1.a.example. >> NS ns2.a.example. >> DS 58470 5 1 ( >> 3079F1593EBAD6DC121E202A8B766A6A4837206C ) >> ns1.a.example. A 192.0.2.5 >> ns2.a.example. A 192.0.2.6 >> ai.example. A 192.0.2.9 >> HINFO "KLH-10" "ITS" >> AAAA 2001:db8:0:0:0:0:f00:baa9 >> b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd ( >> gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG ) >> c.example. NS ns1.c.example. >> NS ns2.c.example. >> ns1.c.example. A 192.0.2.7 >> ns2.c.example. A 192.0.2.8 >> gjeqe526plbf1g8mklp59enfd789njgi.example. NSEC3 1 1 12 aabbccdd ( >> ji6neoaepv8b5o6k4ev33abha8ht9fgc HINFO A AAAA >> RRSIG ) >> ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd ( >> k8udemvp1j2f7eg6jebps17vp3n8i58h ) >> k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd ( >> ! kohar7mbb8dc2ce8a9qvl8hon4k53uhi ) >> ! kohar7mbb8dc2ce8a9qvl8hon4k53uhi.example. NSEC3 1 1 12 aabbccdd ( >> ! q04jkcevqvmu85r014c7dkba38o0ji5r A RRSIG ) >> ns1.example. A 192.0.2.1 >> ns2.example. A 192.0.2.2 >> q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd ( >> r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG ) >> r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd ( >> t644ebqk9bibcna874givr6joj62mlhv MX RRSIG ) >> t644ebqk9bibcna874givr6joj62mlhv.example. NSEC3 1 1 12 aabbccdd ( >> 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom HINFO A AAAA >> RRSIG ) >> *.w.example. MX 1 ai.example. >> x.w.example. MX 1 xx.example. >> x.y.w.example. MX 1 xx.example. >> xx.example. A 192.0.2.10 >> HINFO "KLH-10" "TOPS-20" >> AAAA 2001:db8:0:0:0:0:f00:baaa >> >> Corrected Text >> -------------- >> ; H(example) = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom >> ; H(a.example) = 35mthgpgcu1qg68fab165klnsnk3dpvl >> ; H(ai.example) = gjeqe526plbf1g8mklp59enfd789njgi >> ; H(ns1.example) = 2t7b4g4vsa5smi47k61mv5bv1a22bojr >> ; H(ns2.example) = q04jkcevqvmu85r014c7dkba38o0ji5r >> ; H(w.example) = k8udemvp1j2f7eg6jebps17vp3n8i58h >> ; H(*.w.example) = r53bq7cc2uvmubfu5ocmm6pers9tk9en >> ; H(x.w.example) = b4um86eghhds6nea196smvmlo4ors995 >> ; H(y.w.example) = ji6neoaepv8b5o6k4ev33abha8ht9fgc >> ; H(x.y.w.example) = 2vptu5timamqttgl4luu9kg21e0aor3s >> ; H(xx.example) = t644ebqk9bibcna874givr6joj62mlhv >> example. 3600 IN SOA ns1.example. bugs.x.w.example. 1 3600 300 ( >> 3600000 3600 ) >> NS ns1.example. >> NS ns2.example. >> MX 1 xx.example. >> DNSKEY 256 3 7 AwEAAaetidLzsKWUt4swWR8yu0wPHPiUi8LU ( >> sAD0QPWU+wzt89epO6tHzkMBVDkC7qphQO2h >> TY4hHn9npWFRw5BYubE= ) >> DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( >> j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 >> AbsUdblMFin8CVF3n4s= ) >> NSEC3PARAM 1 0 12 aabbccdd:1 >> 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( >> 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS >> SOA NSEC3PARAM RRSIG ) >> ! 2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. NSEC3 1 1 12 aabbccdd ( >> 2vptu5timamqttgl4luu9kg21e0aor3s A RRSIG ) >> 2vptu5timamqttgl4luu9kg21e0aor3s.example. NSEC3 1 1 12 aabbccdd ( >> 35mthgpgcu1qg68fab165klnsnk3dpvl MX RRSIG ) >> 35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd ( >> b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG ) >> a.example. NS ns1.a.example. >> NS ns2.a.example. >> DS 58470 5 1 ( >> 3079F1593EBAD6DC121E202A8B766A6A4837206C ) >> ns1.a.example. A 192.0.2.5 >> ns2.a.example. A 192.0.2.6 >> ai.example. A 192.0.2.9 >> HINFO "KLH-10" "ITS" >> AAAA 2001:db8:0:0:0:0:f00:baa9 >> b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd ( >> gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG ) >> c.example. NS ns1.c.example. >> NS ns2.c.example. >> ns1.c.example. A 192.0.2.7 >> ns2.c.example. A 192.0.2.8 >> gjeqe526plbf1g8mklp59enfd789njgi.example. NSEC3 1 1 12 aabbccdd ( >> ji6neoaepv8b5o6k4ev33abha8ht9fgc HINFO A AAAA >> RRSIG ) >> ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd ( >> k8udemvp1j2f7eg6jebps17vp3n8i58h ) >> k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd ( >> ! q04jkcevqvmu85r014c7dkba38o0ji5r ) >> ns1.example. A 192.0.2.1 >> ns2.example. A 192.0.2.2 >> q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd ( >> r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG ) >> r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd ( >> t644ebqk9bibcna874givr6joj62mlhv MX RRSIG ) >> t644ebqk9bibcna874givr6joj62mlhv.example. NSEC3 1 1 12 aabbccdd ( >> 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom HINFO A AAAA >> RRSIG ) >> *.w.example. MX 1 ai.example. >> x.w.example. MX 1 xx.example. >> x.y.w.example. MX 1 xx.example. >> xx.example. A 192.0.2.10 >> HINFO "KLH-10" "TOPS-20" >> AAAA 2001:db8:0:0:0:0:f00:baaa >> >> Notes >> ----- >> The obligatory RRSIG records have been omitted for clarity. >> >> The zone prior to NSEC3 signing seems to have contained an unexpected >> 2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. A 192.0.2.127 >> which was then lovingly included in the NSEC3 chain. >> >> The error is readily detectable from the list of hashes of the original owner names. The source zone prior to signing can never contain a hashed name. >> >> For completeness, B5 also needs a corresponding amendment, although this does not invalidate the proof presented therein. >> >> Instructions: >> ------------- >> This erratum is currently posted as "Reported". If necessary, please >> use "Reply All" to discuss whether it should be verified or >> rejected. When a decision is reached, the verifying party >> can log in to change the status and edit the report, if necessary. >> >> -------------------------------------- >> RFC5155 (draft-ietf-dnsext-nsec3-13) >> -------------------------------------- >> Title : DNS Security (DNSSEC) Hashed Authenticated Denial of Existence >> Publication Date : March 2008 >> Author(s) : B. Laurie, G. Sisson, R. Arends, D. Blacka >> Category : PROPOSED STANDARD >> Source : DNS Extensions >> Area : Internet >> Stream : IETF >> Verifying Party : IESG >> >> _______________________________________________ >> dnsext mailing list >> dnsext@ietf.org >> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dnsext&d=DwIBAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=6rdmyw1VGzYGRLDSg4Nv6YlsOHnMB5FIzSs7DYirTNA&m=gWuOL6YbGLIJ7P7JlR4-OcptwWJsKAI9HfdjdCPIkbQ&s=gCe8H3gysKA1qcju4jrBo1FTz1g8Plas_y3oeIF3cKE&e=
- [dnsext] [Technical Errata Reported] RFC5155 (499… RFC Errata System
- Re: [dnsext] [Technical Errata Reported] RFC5155 … Alex Bligh
- Re: [dnsext] [Ext] [Technical Errata Reported] RF… Roy Arends