Re: [dnsext] WGLC: RFC6195bis IANA guidance

[Donald Eastlake <d3e3e3@gmail.com>]

 Hi Alfred,

On Thu, Jun 14, 2012 at 9:04 AM, Alfred HÎnes <ah@tr-sys.de> wrote:
> ...
>
> (1)  Section 3.1.4 and/or Appendix B
>
> Maybe the IESG will call for a citation for closing the AFSDB
> sub-registry.  RFC 5864 is the proper reference (and its author has
> approved the formal closing after checking with the AFS community).

Adding such a reference seems reasonable. I suggest that, just before
the last sentence of the first paragraph in Section 3.1.4, adding "Use
of the AFSDB RR to locate AFS cell database servers was deprecated by
[RFC5864]." and noting this addition in Appendix B.

> (2)  Section 3.2
>
> In the RCODE registry (Section 2.3), there is an apparent
> overloading of RCODE=16:
>   BADVERS (RFC 2671 / RFC 2671bis) vs. BADSIG (RFC 2845).

Yes. But it seems unlikely to cause a problem as one is only used in
OPT and one s only used in TSIG.

> Looking back into RFC 2845, it seems that the clerical error
> has happened at IANA when acting upon the assignments in that RFC.
> The second paragraph of Section 7 of RFC 2845 (on top of page 13)
> clearly states:
>
> !  IANA is expected to create and maintain a registry of "TSIG Error
> !  values" to be used for "Error" values as defined in section 2.3.
> !  Initial values should be those defined in section 1.7.  New TSIG
> !  error codes for the TSIG error field are assigned using the IETF
> !  Consensus policy defined in RFC 2434.
>
> Note that the TSIG Error field is a component of TSIG RDATA distinct
> from the RCODE field in the DNS message header and its extension in
> OPT RRs.  An According to RFC 2845 (which seems to be mostly unaware
> of EDNS, besides references to binary labels), there is an intentional
> semantical overlap for Error values 0..15, which are specified as being
> identical with the non-extended RCODES (0..15) in sect. 1.7 of RFC 2845;
> the "new" TSIG Error values 16..18 are to be signaled together with
> RCODE = NotAuth(9) (originally specified in RFC 2136).
> The idea there obviously was to make TSIG independent of the OPT RR,
> i.e. to allow TSIG without EDNS, but to this end RFC 2845 likely better
> had accomodated the extended RCODE BADVERS(16) assigned by RFC 2671 and
> chosen Error values 17..19 for TSIG purposes.

Of course, your quote from the IANA Considerations of RFC 2845 (TSG)
is correct; however, I do not think the evidence is all on your side.
In particular, earlier in RFC 2845, the error field is described as an
"expanded RCODE".  This is essentially the same term that RFC 2671
(OPT) uses ("an extended RCODE") and the same term that RFC 2930
(TKEY) uses ("The error code field is an extended RCODE.").

> However, IANA obviously has registered the actual new values 16..18
> in the RCODE registry and _not_ established a TSIG Error code registry.
> Mistakes happen, and it also may be wise to have RCODE values 17 and 18
> "reserved" so that additional overloading cannot arise in the future.
>
> But IMO it would be worth adding "[*]" to the three RCODE registry
> entries based on RFC 2845: BADSIG, BADKEY, and BADTIME, e.g.:
>
>        16    BADSIG    TSIG Signature Failure [*]         [RFC2845]
>        17    BADKEY    Key not recognized [*]             [RFC2845]
>        18    BADTIME   Signature out of time window [*]   [RFC2845]
>
> ... and to add a footnote to the rigistry that says (e.g.):
>
>   [*] These values are only to be used in the Error field of TSIG RRs;
>       they cannot appear in the (extended) RCODE field of OPT RRs.
>
> Also, for added precision and consistency with RFC 2845 and RFC 2930,
> the last clause in the first paragraph of Section 2.3 should perhaps
> be adjusted as follows:
>
> OLD:
>   and the TSIG and TKEY RRs have a 16-bit RCODE field.
>                                           ^^^^^
> NEW:
>   and the TSIG and TKEY RRs have a 16-bit Error field.
>                                           ^^^^^

I believe that the more different DNS error registries there are, the
more confusion and the more future errors in assignment will occur.
Except for the values of the 4-bit DNS header un-extended RCODE, for
which precious few free values exist, there is an abundance of values
available, so there is no scarcity reason for separate registries with
potentially overlapping values.  It is also the case that a single
unified number space for DNS errors has been presented for years in
RFC 6195, RFC 5395, and RFC 2929 for use in the unextended DNS header,
the OPT extended DNS header, the TSIG RR error field, and the TKEY
error field. In all these years, no one has had a problem with there
being a single, unified DNS error number space. So, to the extent that
there is any consensus among these document I believe it is for the
simpler model of a single number space.

To the extent that there s any ambiguity here, I would prefer to
resolve it by adding text to Section 2.3 of the rfc6195bis draft like
the following: "To the extent that any prior RFCs imply any sort of
different error number space for the OPT, TSIG, or TKEY RRs, they are
superseded by this unified DNS error number space. With the existing
exception of error number 16, the same error number MUST NOT be
assigned for different errors even if they would occur in different RR
types."

Thanks,
Donald
=============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3@gmail.com


> Kind regards,
>  Alfred.
>
> --
>
> +------------------------+--------------------------------------------+
> | TR-Sys Alfred Hoenes   |  Alfred Hoenes   Dipl.-Math., Dipl.-Phys.  |
> | Gerlinger Strasse 12   |  Phone: (+49)7156/9635-0, Fax: -18         |
> | D-71254  Ditzingen     |  E-Mail:  ah@TR-Sys.de                     |
> +------------------------+--------------------------------------------+
>