Re: [dnsext] [Ext] [Technical Errata Reported] RFC5155 (4993)

Roy Arends <roy.arends@icann.org> Tue, 18 April 2017 18:45 UTC

Return-Path: <roy.arends@icann.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DED0F13144D for <dnsext@ietfa.amsl.com>; Tue, 18 Apr 2017 11:45:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9hQXh6DgmjAZ for <dnsext@ietfa.amsl.com>; Tue, 18 Apr 2017 11:45:04 -0700 (PDT)
Received: from out.west.pexch112.icann.org (pfe112-va-1.pexch112.icann.org [162.216.194.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91BFA130A94 for <dnsext@ietf.org>; Tue, 18 Apr 2017 11:45:04 -0700 (PDT)
Received: from PMBX112-E1-VA-2.pexch112.icann.org (162.216.194.26) by PMBX112-W1-VA-1.pexch112.icann.org (162.216.194.21) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 18 Apr 2017 11:45:01 -0700
Received: from PMBX112-E1-VA-2.pexch112.icann.org ([162.216.194.26]) by PMBX112-E1-VA-2.PEXCH112.ICANN.ORG ([162.216.194.26]) with mapi id 15.00.1178.000; Tue, 18 Apr 2017 11:45:01 -0700
From: Roy Arends <roy.arends@icann.org>
To: Ben Laurie <ben@links.org>, "geoff-s@panix.com" <geoff-s@panix.com>, "Roy Arends" <roy@nominet.org.uk>, "davidb@verisign.com" <davidb@verisign.com>, "suresh.krishnan@ericsson.com" <suresh.krishnan@ericsson.com>, "Terry Manderson" <terry.manderson@icann.org>, Olafur Gud <ogud@ogud.com>, "ajs@anvilwalrusden.com" <ajs@anvilwalrusden.com>
CC: "rfc-editor@rfc-editor.org" <rfc-editor@rfc-editor.org>, "dnsext@ietf.org" <dnsext@ietf.org>
Thread-Topic: [Ext] [dnsext] [Technical Errata Reported] RFC5155 (4993)
Thread-Index: AQHSuHPixi/yO1mgTk233fIFPh5wmQ==
Date: Tue, 18 Apr 2017 18:45:01 +0000
Message-ID: <6D38C6C1-0821-4129-ADE8-76C9F599E87C@icann.org>
References: <20170413161207.DB84EB80A47@rfc-editor.org> <A1B3B93F-14AB-4AA5-8CF8-959D316C90F1@vpnc.org>
In-Reply-To: <A1B3B93F-14AB-4AA5-8CF8-959D316C90F1@vpnc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.47.234]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <99F91246D4FC8746A4BCE4253031E296@pexch112.icann.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/c6-48hX43RLYqXFPdWlHtW_S8HY>
X-Mailman-Approved-At: Fri, 28 Apr 2017 06:06:35 -0700
Subject: Re: [dnsext] [Ext] [Technical Errata Reported] RFC5155 (4993)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2017 18:45:08 -0000

The erratum is incorrect.

The hash value for ns1.example is explicitly used as an owner name for a regular record (2t7b4g4vsa5smi47k61mv5bv1a22bojr.example A 192.0.2.127) to show that a potential collision between the owner names and the hashed space has no impact.

Roy


> Forwarded message:
> 
>> From: RFC Errata System <rfc-editor@rfc-editor.org>
>> To: ben@links.org, geoff-s@panix.com, roy@nominet.org.uk, davidb@verisign.com, suresh.krishnan@ericsson.com, terry.manderson@icann.org, ogud@ogud.com, ajs@anvilwalrusden.com
>> Cc: rfc-editor@rfc-editor.org, dnsext@ietf.org
>> Subject: [dnsext] [Technical Errata Reported] RFC5155 (4993)
>> Date: Thu, 13 Apr 2017 09:12:07 -0700 (PDT)
>> 
>> The following errata report has been submitted for RFC5155,
>> "DNS Security (DNSSEC) Hashed Authenticated Denial of Existence".
>> 
>> --------------------------------------
>> You may review the report below and at:
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rfc-2Deditor.org_errata-5Fsearch.php-3Frfc-3D5155-26eid-3D4993&d=DwIBAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=6rdmyw1VGzYGRLDSg4Nv6YlsOHnMB5FIzSs7DYirTNA&m=gWuOL6YbGLIJ7P7JlR4-OcptwWJsKAI9HfdjdCPIkbQ&s=ZvqiH08zLZs-opG3e6PfrhQu01cR5ADlM68SWCPfyFE&e= 
>> --------------------------------------
>> Type: Technical
>> Reported by: Dick Franks <rwfranks@acm.org>
>> 
>> Section: Appendix A
>> 
>> Original Text
>> -------------
>>  ; H(example)       = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom
>>  ; H(a.example)     = 35mthgpgcu1qg68fab165klnsnk3dpvl
>>  ; H(ai.example)    = gjeqe526plbf1g8mklp59enfd789njgi
>>  ; H(ns1.example)   = 2t7b4g4vsa5smi47k61mv5bv1a22bojr
>>  ; H(ns2.example)   = q04jkcevqvmu85r014c7dkba38o0ji5r
>>  ; H(w.example)     = k8udemvp1j2f7eg6jebps17vp3n8i58h
>>  ; H(*.w.example)   = r53bq7cc2uvmubfu5ocmm6pers9tk9en
>>  ; H(x.w.example)   = b4um86eghhds6nea196smvmlo4ors995
>>  ; H(y.w.example)   = ji6neoaepv8b5o6k4ev33abha8ht9fgc
>>  ; H(x.y.w.example) = 2vptu5timamqttgl4luu9kg21e0aor3s
>>  ; H(xx.example)    = t644ebqk9bibcna874givr6joj62mlhv
>> - ; H(2t7b4g4vsa5smi47k61mv5bv1a22bojr.example)
>> - ;                  = kohar7mbb8dc2ce8a9qvl8hon4k53uhi
>>  example. 3600  IN SOA  ns1.example. bugs.x.w.example. 1 3600 300 (
>>                         3600000 3600 )
>>                 NS      ns1.example.
>>                 NS      ns2.example.
>>                 MX      1 xx.example.
>>                 DNSKEY  256 3 7 AwEAAaetidLzsKWUt4swWR8yu0wPHPiUi8LU (
>>                         sAD0QPWU+wzt89epO6tHzkMBVDkC7qphQO2h
>>                         TY4hHn9npWFRw5BYubE= )
>>                 DNSKEY  257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ (
>>                         j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9
>>                         AbsUdblMFin8CVF3n4s= )
>>                 NSEC3PARAM 1 0 12 aabbccdd:1
>>  0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd (
>>                         2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS
>>                         SOA NSEC3PARAM RRSIG )
>> ! 2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. A 192.0.2.127
>> !                NSEC3   1 1 12 aabbccdd (
>>                         2vptu5timamqttgl4luu9kg21e0aor3s A RRSIG )
>>  2vptu5timamqttgl4luu9kg21e0aor3s.example. NSEC3 1 1 12 aabbccdd (
>>                         35mthgpgcu1qg68fab165klnsnk3dpvl MX RRSIG )
>>  35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd (
>>                         b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
>>  a.example.     NS      ns1.a.example.
>>                 NS      ns2.a.example.
>>                 DS      58470 5 1 (
>>                         3079F1593EBAD6DC121E202A8B766A6A4837206C )
>>  ns1.a.example. A       192.0.2.5
>>  ns2.a.example. A       192.0.2.6
>>  ai.example.    A       192.0.2.9
>>                 HINFO   "KLH-10" "ITS"
>>                 AAAA    2001:db8:0:0:0:0:f00:baa9
>>  b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd (
>>                         gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG )
>>  c.example.     NS      ns1.c.example.
>>                 NS      ns2.c.example.
>>  ns1.c.example. A       192.0.2.7
>>  ns2.c.example. A       192.0.2.8
>>  gjeqe526plbf1g8mklp59enfd789njgi.example. NSEC3 1 1 12 aabbccdd (
>>                         ji6neoaepv8b5o6k4ev33abha8ht9fgc HINFO A AAAA
>>                         RRSIG )
>>  ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd (
>>                         k8udemvp1j2f7eg6jebps17vp3n8i58h )
>>  k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd (
>> !                        kohar7mbb8dc2ce8a9qvl8hon4k53uhi )
>> ! kohar7mbb8dc2ce8a9qvl8hon4k53uhi.example. NSEC3 1 1 12 aabbccdd (
>> !                        q04jkcevqvmu85r014c7dkba38o0ji5r A RRSIG )
>>  ns1.example.   A       192.0.2.1
>>  ns2.example.   A       192.0.2.2
>>  q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd (
>>                         r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG )
>>  r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd (
>>                         t644ebqk9bibcna874givr6joj62mlhv MX RRSIG )
>>  t644ebqk9bibcna874givr6joj62mlhv.example. NSEC3 1 1 12 aabbccdd (
>>                         0p9mhaveqvm6t7vbl5lop2u3t2rp3tom HINFO A AAAA
>>                         RRSIG )
>>  *.w.example.   MX      1 ai.example.
>>  x.w.example.   MX      1 xx.example.
>>  x.y.w.example. MX      1 xx.example.
>>  xx.example.    A       192.0.2.10
>>                 HINFO   "KLH-10" "TOPS-20"
>>                 AAAA    2001:db8:0:0:0:0:f00:baaa
>> 
>> Corrected Text
>> --------------
>>  ; H(example)       = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom
>>  ; H(a.example)     = 35mthgpgcu1qg68fab165klnsnk3dpvl
>>  ; H(ai.example)    = gjeqe526plbf1g8mklp59enfd789njgi
>>  ; H(ns1.example)   = 2t7b4g4vsa5smi47k61mv5bv1a22bojr
>>  ; H(ns2.example)   = q04jkcevqvmu85r014c7dkba38o0ji5r
>>  ; H(w.example)     = k8udemvp1j2f7eg6jebps17vp3n8i58h
>>  ; H(*.w.example)   = r53bq7cc2uvmubfu5ocmm6pers9tk9en
>>  ; H(x.w.example)   = b4um86eghhds6nea196smvmlo4ors995
>>  ; H(y.w.example)   = ji6neoaepv8b5o6k4ev33abha8ht9fgc
>>  ; H(x.y.w.example) = 2vptu5timamqttgl4luu9kg21e0aor3s
>>  ; H(xx.example)    = t644ebqk9bibcna874givr6joj62mlhv
>>  example. 3600  IN SOA  ns1.example. bugs.x.w.example. 1 3600 300 (
>>                         3600000 3600 )
>>                 NS      ns1.example.
>>                 NS      ns2.example.
>>                 MX      1 xx.example.
>>                 DNSKEY  256 3 7 AwEAAaetidLzsKWUt4swWR8yu0wPHPiUi8LU (
>>                         sAD0QPWU+wzt89epO6tHzkMBVDkC7qphQO2h
>>                         TY4hHn9npWFRw5BYubE= )
>>                 DNSKEY  257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ (
>>                         j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9
>>                         AbsUdblMFin8CVF3n4s= )
>>                 NSEC3PARAM 1 0 12 aabbccdd:1
>>  0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd (
>>                         2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS
>>                         SOA NSEC3PARAM RRSIG )
>> ! 2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. NSEC3   1 1 12 aabbccdd (
>>                         2vptu5timamqttgl4luu9kg21e0aor3s A RRSIG )
>>  2vptu5timamqttgl4luu9kg21e0aor3s.example. NSEC3 1 1 12 aabbccdd (
>>                         35mthgpgcu1qg68fab165klnsnk3dpvl MX RRSIG )
>>  35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd (
>>                         b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
>>  a.example.     NS      ns1.a.example.
>>                 NS      ns2.a.example.
>>                 DS      58470 5 1 (
>>                         3079F1593EBAD6DC121E202A8B766A6A4837206C )
>>  ns1.a.example. A       192.0.2.5
>>  ns2.a.example. A       192.0.2.6
>>  ai.example.    A       192.0.2.9
>>                 HINFO   "KLH-10" "ITS"
>>                 AAAA    2001:db8:0:0:0:0:f00:baa9
>>  b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd (
>>                         gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG )
>>  c.example.     NS      ns1.c.example.
>>                 NS      ns2.c.example.
>>  ns1.c.example. A       192.0.2.7
>>  ns2.c.example. A       192.0.2.8
>>  gjeqe526plbf1g8mklp59enfd789njgi.example. NSEC3 1 1 12 aabbccdd (
>>                         ji6neoaepv8b5o6k4ev33abha8ht9fgc HINFO A AAAA
>>                         RRSIG )
>>  ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd (
>>                         k8udemvp1j2f7eg6jebps17vp3n8i58h )
>>  k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd (
>> !                        q04jkcevqvmu85r014c7dkba38o0ji5r )
>>  ns1.example.   A       192.0.2.1
>>  ns2.example.   A       192.0.2.2
>>  q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd (
>>                         r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG )
>>  r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd (
>>                         t644ebqk9bibcna874givr6joj62mlhv MX RRSIG )
>>  t644ebqk9bibcna874givr6joj62mlhv.example. NSEC3 1 1 12 aabbccdd (
>>                         0p9mhaveqvm6t7vbl5lop2u3t2rp3tom HINFO A AAAA
>>                         RRSIG )
>>  *.w.example.   MX      1 ai.example.
>>  x.w.example.   MX      1 xx.example.
>>  x.y.w.example. MX      1 xx.example.
>>  xx.example.    A       192.0.2.10
>>                 HINFO   "KLH-10" "TOPS-20"
>>                 AAAA    2001:db8:0:0:0:0:f00:baaa
>> 
>> Notes
>> -----
>> The obligatory RRSIG records have been omitted for clarity.
>> 
>> The zone prior to NSEC3 signing seems to have contained an unexpected
>>    2t7b4g4vsa5smi47k61mv5bv1a22bojr.example.	A	192.0.2.127
>> which was then lovingly included in the NSEC3 chain.
>> 
>> The error is readily detectable from the list of hashes of the original owner names. The source zone prior to signing can never contain a hashed name.
>> 
>> For completeness, B5 also needs a corresponding amendment, although this does not invalidate the proof presented therein.
>> 
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". If necessary, please
>> use "Reply All" to discuss whether it should be verified or
>> rejected. When a decision is reached, the verifying party
>> can log in to change the status and edit the report, if necessary.
>> 
>> --------------------------------------
>> RFC5155 (draft-ietf-dnsext-nsec3-13)
>> --------------------------------------
>> Title               : DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
>> Publication Date    : March 2008
>> Author(s)           : B. Laurie, G. Sisson, R. Arends, D. Blacka
>> Category            : PROPOSED STANDARD
>> Source              : DNS Extensions
>> Area                : Internet
>> Stream              : IETF
>> Verifying Party     : IESG
>> 
>> _______________________________________________
>> dnsext mailing list
>> dnsext@ietf.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dnsext&d=DwIBAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=6rdmyw1VGzYGRLDSg4Nv6YlsOHnMB5FIzSs7DYirTNA&m=gWuOL6YbGLIJ7P7JlR4-OcptwWJsKAI9HfdjdCPIkbQ&s=gCe8H3gysKA1qcju4jrBo1FTz1g8Plas_y3oeIF3cKE&e=