Re: [dnsext] [EXT] Asking for review on this errata by DNSSEC experts Re: [Errata Verified] RFC4035 (5226)

Peter van Dijk <peter.van.dijk@powerdns.com> Mon, 14 August 2023 08:52 UTC

Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88CD9C15152B; Mon, 14 Aug 2023 01:52:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=powerdns.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Qn2mcRkDJHz; Mon, 14 Aug 2023 01:52:06 -0700 (PDT)
Received: from mx3.open-xchange.com (mx3.open-xchange.com [87.191.57.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75EAAC151524; Mon, 14 Aug 2023 01:52:06 -0700 (PDT)
Received: from imap.open-xchange.com (imap.open-xchange.com [86.85.149.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx3.open-xchange.com (Postfix) with ESMTPSA id 20FD16A140; Mon, 14 Aug 2023 10:52:04 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=powerdns.com; s=202306; t=1692003124; bh=b+8/W0QRj24GyOBWlwTNnL9hK94/FCRmcn6RItGopkw=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=LMSe/V6qymjVEaPm898FdW2dD/umN9e4rVhf4hgr2E5mohep09OfDymXoJ1DLICTl Y0dt9+y4Q//5RtTz7Tk6lPv1UDMhFSfz8qvvkjNI6H3q8WRWTlV43ISL/2C/4vHbOS YA8tajkhrWqW9GUqdI0XoKMeMro2beLbHrgaT7a8dLhNqgIIbOKEE9QAeK4IThbO/n noxY/znX+NAeGa7p08smKAX53YwLRTEqZ32EByWwWjO6s8xNdZdEOed65iaYEZbd+v 1sB2rE9aPPeMNso59oE8YU+QTeYO+GeUbPa1vsR66vq5XL2M1y9WbwRhmf5xs4GbKf KS3D9oGvp8PNg==
Received: from [192.168.0.14] ([86.85.149.247]) by imap.open-xchange.com with ESMTPSA id 4wgHBTTr2WTbyS4A3c6Kzw (envelope-from <peter.van.dijk@powerdns.com>); Mon, 14 Aug 2023 10:52:04 +0200
Message-ID: <fe59864c27d8a5fe54373410a50df687d0f98f34.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, Mark Andrews <marka@isc.org>, RFC Errata System <rfc-editor@rfc-editor.org>, "dnsdir@ietf.org" <dnsdir@ietf.org>
Cc: "roy.arends@telin.nl" <roy.arends@telin.nl>, "sra@isc.org" <sra@isc.org>, "mlarson@verisign.com" <mlarson@verisign.com>, "massey@cs.colostate.edu" <massey@cs.colostate.edu>, "scott.rose@nist.gov" <scott.rose@nist.gov>, "dnsext@ietf.org" <dnsext@ietf.org>
Date: Mon, 14 Aug 2023 10:52:03 +0200
In-Reply-To: <1B5D0B11-9930-4D7B-ABC5-0AEDA3A4553F@cisco.com>
References: <1B5D0B11-9930-4D7B-ABC5-0AEDA3A4553F@cisco.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.46.4-2
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/c8x8eqYrUPV7HCIFwyL6FEcdYEg>
X-Mailman-Approved-At: Mon, 14 Aug 2023 07:35:10 -0700
Subject: Re: [dnsext] [EXT] Asking for review on this errata by DNSSEC experts Re: [Errata Verified] RFC4035 (5226)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2023 08:52:11 -0000

Before I posted the erratum, this was discussed on DNSOP:
https://mailarchive.ietf.org/arch/browse/dnsop/?gbt=1&index=zlZRR37eirlOz5Rt55xU3tMzngo

(that thread also has the corner case description that Scott asked for)

That thread did not manage to reach consensus, and PowerDNS now contains
a workaround for what -we- considered the broken behaviour.

I do not understand Mark's comment about NS queries. Perhaps "DNSSEC
aware resolvers" means "BIND" in his comment?

Peter

On Sat, 2023-08-05 at 07:11 +0000, Eric Vyncke (evyncke) wrote:
> Mark, thanks for your review. Happy to correct the errata after verification.
> 
> What is the view of the DNS directorate members on this errata (see below or at https://www.rfc-editor.org/errata/eid5226) ? I.e., I would appreciate a quick look by several DNS directorate members + original authors.
> 
> Thanks, in advance.
> 
> -éric
> 
> 
> On 05/08/2023, 03:46, "Mark Andrews" <marka@isc.org <mailto:marka@isc.org>> wrote:
> 
> 
> This is incorrect. DNSSEC aware resolvers make NS queries to determine the parent nameservers. Non DNSSEC resolvers accept the response from the child zone. 
> 
> 
> -- 
> Mark Andrews
> 
> 
> > On 5 Aug 2023, at 01:52, RFC Errata System <rfc-editor@rfc-editor.org <mailto:rfc-editor@rfc-editor.org>> wrote:
> > 
> > The following errata report has been verified for RFC4035,
> > "Protocol Modifications for the DNS Security Extensions". 
> > 
> > --------------------------------------
> > You may review the report below and at:
> > https://www.rfc-editor.org/errata/eid5226 <https://www.rfc-editor.org/errata/eid5226>
> > 
> > --------------------------------------
> > Status: Verified
> > Type: Technical
> > 
> > Reported by: Peter van Dijk <peter.van.dijk@powerdns.com <mailto:peter.van.dijk@powerdns.com>>
> > Date Reported: 2018-01-04
> > Verified by: Eric Vyncke (IESG)
> > 
> > Section: 3.1.4.1
> > 
> > Original Text
> > -------------
> > The need for special processing by a security-aware name server only
> > arises when all the following conditions are met:
> > 
> > o The name server has received a query for the DS RRset at a zone
> > cut.
> > 
> > o The name server is authoritative for the child zone.
> > 
> > o The name server is not authoritative for the parent zone.
> > 
> > o The name server does not offer recursion.
> > 
> > Corrected Text
> > --------------
> > The need for special processing by a security-aware name server only
> > arises when all the following conditions are met:
> > 
> > o The name server has received a query for the DS RRset at a zone
> > cut.
> > 
> > o The name server is authoritative for the child zone.
> > 
> > o The name server is not authoritative for any zone above the
> > child's apex.
> > 
> > o The name server does not offer recursion.
> > 
> > Notes
> > -----
> > The original text is ambiguous in the face of an authoritative server having zones C.B.A. and A. but not B.A., and could cause DS queries for C to return a NODATA at C's apex, instead of the desired referral to B. which would allow resolution to continue correctly.
> > 
> > --------------------------------------
> > RFC4035 (draft-ietf-dnsext-dnssec-protocol-09)
> > --------------------------------------
> > Title : Protocol Modifications for the DNS Security Extensions
> > Publication Date : March 2005
> > Author(s) : R. Arends, R. Austein, M. Larson, D. Massey, S. Rose
> > Category : PROPOSED STANDARD
> > Source : DNS Extensions
> > Area : Internet
> > Stream : IETF
> > Verifying Party : IESG
> > 
> > _______________________________________________
> > dnsext mailing list
> > dnsext@ietf.org <mailto:dnsext@ietf.org>
> > https://www.ietf.org/mailman/listinfo/dnsext <https://www.ietf.org/mailman/listinfo/dnsext>
> 
> 
>