[dnsext] [Errata Held for Document Update] RFC4035 (8037)
RFC Errata System <rfc-editor@rfc-editor.org> Wed, 07 August 2024 15:37 UTC
Return-Path: <wwwrun@rfcpa.rfc-editor.org>
X-Original-To: dnsext@ietf.org
Delivered-To: dnsext@ietfa.amsl.com
Received: from rfcpa.rfc-editor.org (unknown [167.172.21.234]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79889C14F61D; Wed, 7 Aug 2024 08:37:25 -0700 (PDT)
Received: by rfcpa.rfc-editor.org (Postfix, from userid 461) id E51537FA60; Wed, 7 Aug 2024 08:37:24 -0700 (PDT)
To: elias.heftrig@sit.fraunhofer.de, roy.arends@telin.nl, sra@isc.org, mlarson@verisign.com, massey@cs.colostate.edu, scott.rose@nist.gov
From: RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20240807153724.E51537FA60@rfcpa.rfc-editor.org>
X-MailFrom: wwwrun@rfcpa.rfc-editor.org
X-Mailman-Rule-Hits: max-recipients
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-size; news-moderation; no-subject; digests; suspicious-header
Message-ID-Hash: Z7GFC3EZUWMTHP4OZ57RGNCFSIJSVMDO
X-Message-ID-Hash: Z7GFC3EZUWMTHP4OZ57RGNCFSIJSVMDO
X-Mailman-Approved-At: Thu, 08 Aug 2024 09:38:18 -0700
CC: evyncke@cisco.com, iesg@ietf.org, dnsext@ietf.org, rfc-editor@rfc-editor.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [dnsext] [Errata Held for Document Update] RFC4035 (8037)
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/cN15YX06pkYoWtHDlwdtkMBhfcw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Owner: <mailto:dnsext-owner@ietf.org>
List-Post: <mailto:dnsext@ietf.org>
List-Subscribe: <mailto:dnsext-join@ietf.org>
List-Unsubscribe: <mailto:dnsext-leave@ietf.org>
Date: Wed, 07 Aug 2024 15:37:25 -0000
X-Original-Date: Wed, 7 Aug 2024 08:37:24 -0700 (PDT)
The following errata report has been held for document update for RFC4035, "Protocol Modifications for the DNS Security Extensions". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid8037 -------------------------------------- Status: Held for Document Update Type: Technical Reported by: Elias Heftrig <elias.heftrig@sit.fraunhofer.de> Date Reported: 2024-07-18 Held by: Eric Vyncke (IESG) Section: 5.3.1. Original Text ------------- [...] the validator cannot predetermine which DNSKEY RR to use to authenticate the signature, and it MUST try each matching DNSKEY RR until either the signature is validated or the validator has run out of matching public keys to try. Corrected Text -------------- [...] the validator cannot predetermine which DNSKEY RR to use to authenticate the signature, and it SHOULD try each matching DNSKEY RR until either the signature is validated or the validator has run out of matching public keys to try. Notes ----- The original text requires validators to invest an unreasonable amount of work to validate a given signature in case there are many such DNSKEY RRs. The issue was exploited in the construction of CPU resource exhaustion attacks (CVE-2023-50387). For more details see our publication with ACM CCS'24 on the KeyTrap denial of service vulnerabilities. -- verifier note -- While the concern is valid, this erratum does not represent the DNSEXT WG consensus at the time of writing, i.e., it cannot be "verified" -------------------------------------- RFC4035 (draft-ietf-dnsext-dnssec-protocol-09) -------------------------------------- Title : Protocol Modifications for the DNS Security Extensions Publication Date : March 2005 Author(s) : R. Arends, R. Austein, M. Larson, D. Massey, S. Rose Category : PROPOSED STANDARD Source : DNS Extensions Stream : IETF Verifying Party : IESG
- [dnsext] [Errata Held for Document Update] RFC403… RFC Errata System