Re: [dnsext] [EXT] Asking for review on this errata by DNSSEC experts Re: [Errata Verified] RFC4035 (5226)
Peter van Dijk <peter.van.dijk@powerdns.com> Mon, 14 August 2023 08:52 UTC
Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88CD9C15152B; Mon, 14 Aug 2023 01:52:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=powerdns.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Qn2mcRkDJHz; Mon, 14 Aug 2023 01:52:06 -0700 (PDT)
Received: from mx3.open-xchange.com (mx3.open-xchange.com [87.191.57.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75EAAC151524; Mon, 14 Aug 2023 01:52:06 -0700 (PDT)
Received: from imap.open-xchange.com (imap.open-xchange.com [86.85.149.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx3.open-xchange.com (Postfix) with ESMTPSA id 20FD16A140; Mon, 14 Aug 2023 10:52:04 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=powerdns.com; s=202306; t=1692003124; bh=b+8/W0QRj24GyOBWlwTNnL9hK94/FCRmcn6RItGopkw=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=LMSe/V6qymjVEaPm898FdW2dD/umN9e4rVhf4hgr2E5mohep09OfDymXoJ1DLICTl Y0dt9+y4Q//5RtTz7Tk6lPv1UDMhFSfz8qvvkjNI6H3q8WRWTlV43ISL/2C/4vHbOS YA8tajkhrWqW9GUqdI0XoKMeMro2beLbHrgaT7a8dLhNqgIIbOKEE9QAeK4IThbO/n noxY/znX+NAeGa7p08smKAX53YwLRTEqZ32EByWwWjO6s8xNdZdEOed65iaYEZbd+v 1sB2rE9aPPeMNso59oE8YU+QTeYO+GeUbPa1vsR66vq5XL2M1y9WbwRhmf5xs4GbKf KS3D9oGvp8PNg==
Received: from [192.168.0.14] ([86.85.149.247]) by imap.open-xchange.com with ESMTPSA id 4wgHBTTr2WTbyS4A3c6Kzw (envelope-from <peter.van.dijk@powerdns.com>); Mon, 14 Aug 2023 10:52:04 +0200
Message-ID: <fe59864c27d8a5fe54373410a50df687d0f98f34.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, Mark Andrews <marka@isc.org>, RFC Errata System <rfc-editor@rfc-editor.org>, "dnsdir@ietf.org" <dnsdir@ietf.org>
Cc: "roy.arends@telin.nl" <roy.arends@telin.nl>, "sra@isc.org" <sra@isc.org>, "mlarson@verisign.com" <mlarson@verisign.com>, "massey@cs.colostate.edu" <massey@cs.colostate.edu>, "scott.rose@nist.gov" <scott.rose@nist.gov>, "dnsext@ietf.org" <dnsext@ietf.org>
Date: Mon, 14 Aug 2023 10:52:03 +0200
In-Reply-To: <1B5D0B11-9930-4D7B-ABC5-0AEDA3A4553F@cisco.com>
References: <1B5D0B11-9930-4D7B-ABC5-0AEDA3A4553F@cisco.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.46.4-2
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/c8x8eqYrUPV7HCIFwyL6FEcdYEg>
X-Mailman-Approved-At: Mon, 14 Aug 2023 07:35:10 -0700
Subject: Re: [dnsext] [EXT] Asking for review on this errata by DNSSEC experts Re: [Errata Verified] RFC4035 (5226)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2023 08:52:11 -0000
Before I posted the erratum, this was discussed on DNSOP: https://mailarchive.ietf.org/arch/browse/dnsop/?gbt=1&index=zlZRR37eirlOz5Rt55xU3tMzngo (that thread also has the corner case description that Scott asked for) That thread did not manage to reach consensus, and PowerDNS now contains a workaround for what -we- considered the broken behaviour. I do not understand Mark's comment about NS queries. Perhaps "DNSSEC aware resolvers" means "BIND" in his comment? Peter On Sat, 2023-08-05 at 07:11 +0000, Eric Vyncke (evyncke) wrote: > Mark, thanks for your review. Happy to correct the errata after verification. > > What is the view of the DNS directorate members on this errata (see below or at https://www.rfc-editor.org/errata/eid5226) ? I.e., I would appreciate a quick look by several DNS directorate members + original authors. > > Thanks, in advance. > > -éric > > > On 05/08/2023, 03:46, "Mark Andrews" <marka@isc.org <mailto:marka@isc.org>> wrote: > > > This is incorrect. DNSSEC aware resolvers make NS queries to determine the parent nameservers. Non DNSSEC resolvers accept the response from the child zone. > > > -- > Mark Andrews > > > > On 5 Aug 2023, at 01:52, RFC Errata System <rfc-editor@rfc-editor.org <mailto:rfc-editor@rfc-editor.org>> wrote: > > > > The following errata report has been verified for RFC4035, > > "Protocol Modifications for the DNS Security Extensions". > > > > -------------------------------------- > > You may review the report below and at: > > https://www.rfc-editor.org/errata/eid5226 <https://www.rfc-editor.org/errata/eid5226> > > > > -------------------------------------- > > Status: Verified > > Type: Technical > > > > Reported by: Peter van Dijk <peter.van.dijk@powerdns.com <mailto:peter.van.dijk@powerdns.com>> > > Date Reported: 2018-01-04 > > Verified by: Eric Vyncke (IESG) > > > > Section: 3.1.4.1 > > > > Original Text > > ------------- > > The need for special processing by a security-aware name server only > > arises when all the following conditions are met: > > > > o The name server has received a query for the DS RRset at a zone > > cut. > > > > o The name server is authoritative for the child zone. > > > > o The name server is not authoritative for the parent zone. > > > > o The name server does not offer recursion. > > > > Corrected Text > > -------------- > > The need for special processing by a security-aware name server only > > arises when all the following conditions are met: > > > > o The name server has received a query for the DS RRset at a zone > > cut. > > > > o The name server is authoritative for the child zone. > > > > o The name server is not authoritative for any zone above the > > child's apex. > > > > o The name server does not offer recursion. > > > > Notes > > ----- > > The original text is ambiguous in the face of an authoritative server having zones C.B.A. and A. but not B.A., and could cause DS queries for C to return a NODATA at C's apex, instead of the desired referral to B. which would allow resolution to continue correctly. > > > > -------------------------------------- > > RFC4035 (draft-ietf-dnsext-dnssec-protocol-09) > > -------------------------------------- > > Title : Protocol Modifications for the DNS Security Extensions > > Publication Date : March 2005 > > Author(s) : R. Arends, R. Austein, M. Larson, D. Massey, S. Rose > > Category : PROPOSED STANDARD > > Source : DNS Extensions > > Area : Internet > > Stream : IETF > > Verifying Party : IESG > > > > _______________________________________________ > > dnsext mailing list > > dnsext@ietf.org <mailto:dnsext@ietf.org> > > https://www.ietf.org/mailman/listinfo/dnsext <https://www.ietf.org/mailman/listinfo/dnsext> > > >
- [dnsext] Asking for review on this errata by DNSS… Eric Vyncke (evyncke)
- Re: [dnsext] Asking for review on this errata by … Rob Austein
- Re: [dnsext] Asking for review on this errata by … Rose, Scott W. (Fed)
- Re: [dnsext] [EXT] Asking for review on this erra… Peter van Dijk
- Re: [dnsext] [dnsdir] [EXT] Asking for review on … Dave Lawrence