Re: [dnsext] [Editorial Errata Reported] RFC6672 (5297)

Warren Kumari <warren@kumari.net> Fri, 23 March 2018 15:28 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 794B9126DFB for <dnsext@ietfa.amsl.com>; Fri, 23 Mar 2018 08:28:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.579
X-Spam-Level:
X-Spam-Status: No, score=-1.579 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZLKf6SlgdSR3 for <dnsext@ietfa.amsl.com>; Fri, 23 Mar 2018 08:28:13 -0700 (PDT)
Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7FF71200C5 for <dnsext@ietf.org>; Fri, 23 Mar 2018 08:28:12 -0700 (PDT)
Received: by mail-wm0-x235.google.com with SMTP id h76so4282661wme.4 for <dnsext@ietf.org>; Fri, 23 Mar 2018 08:28:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:cc :content-transfer-encoding; bh=/P0e/YDwBCaltvZOCnUxYHCQiv+qWAmnzbTDY2Flm5I=; b=AHtDvjy3JR69fywT3e12EaDZLK6DkCyYj1nh0V4M4rvgj34LdlKJ4gc2HkQj4+Xeli qpHOa5zHN9TIR3Gr1K8x8y420F4uaORzZZjeVnDnWiIf+x5YDgSKSUeAbBp6Zui5rNYB AvCa9F6vAZpyKTo05AZGKq8ejLdWgH7ckOqVDSCcfhQqa0hZUDQLEo8Ik2F734+3xN/e IHtt6B+hQq+HJYf9y8qlRV6hVNSKz0BB1byfa1a8LXmYrwxyN/dLgwQaC7PsLj6BqVOn 9J9K4PpVzazwtNWfkWGWbRqrwJ/RmV9h6vUiwLWXLX7awB6shC3wIaKmbLfnme7OroKt jx8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:cc:content-transfer-encoding; bh=/P0e/YDwBCaltvZOCnUxYHCQiv+qWAmnzbTDY2Flm5I=; b=Kh7DoPqLCIEj2XYAnFQCFaNkNvxGlbEraVdIiatrj+zsVnQ1CGTAo/Ti1s1+wZUr/l e+rcKFqyI7azijBAoNgr+eV492vXHDTisTe4MZQQ2QCvLzMfdgQGsQLmC4Ap8LUfC0dF yqj2CHK/WkvmVmI41TfcjHJ51bC/2EjgnMS261rL/xeU3rKx+gIAsjySvMMSMGcyP/mP 6sCuoj+6sJmvc1QUP4/dFDjmaKLSWcgk/+SIACYRi0HxgDWy+hNNdZSW5LFdCabcmYUd qG2dsNHHS9PRyH7h6axTFKv9/OGcv1pcO4dZ3ezbsKjQ8GQzI0tamO26ot5+ogawIiFr eucQ==
X-Gm-Message-State: AElRT7FdUqe7/geg3QVzKh0hVNDrPcSR0aVqKFJLW17gReCeaGqF80Ib FmqwlEz2etraqtNdDe6brL4vz41MOCxmJon48UNYMB3W
X-Received: by 10.28.55.4 with SMTP id e4mt9274157wma.7.1521818890801; Fri, 23 Mar 2018 08:28:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.226.76 with HTTP; Fri, 23 Mar 2018 08:27:30 -0700 (PDT)
In-Reply-To: <20180323152454.94C77B82ED3@rfc-editor.org>
References: <20180323152454.94C77B82ED3@rfc-editor.org>
From: Warren Kumari <warren@kumari.net>
Date: Fri, 23 Mar 2018 15:27:30 +0000
Message-ID: <CAHw9_iJ1nJ2QJPQPtOPOzN7K+8Hx12Y=t0BQwcbp8KwjJc4+bA@mail.gmail.com>
Cc: "Rose, Scott" <scott.rose@nist.gov>, "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>, Suresh Krishnan <suresh@kaloom.com>, Terry Manderson <terry.manderson@icann.org>, Olafur Gudmundsson <ogud@ogud.com>, Andrew Sullivan <ajs@anvilwalrusden.com>, dnsext@ietf.org, Pieter Lexis <pieter.lexis@powerdns.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/mVrDO2bh0f2AHF_51oxBCCH6MfQ>
Subject: Re: [dnsext] [Editorial Errata Reported] RFC6672 (5297)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Mar 2018 15:28:14 -0000

[ - RFC Editor for clutter ]

This *seems* correct to me, but my brain turned into jelly much
earlier in the week -- anyone disagree with the errata?

W

On Fri, Mar 23, 2018 at 3:24 PM, RFC Errata System
<rfc-editor@rfc-editor.org>; wrote:
> The following errata report has been submitted for RFC6672,
> "DNAME Redirection in the DNS".
>
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata/eid5297
>
> --------------------------------------
> Type: Editorial
> Reported by: Pieter Lexis <pieter.lexis@powerdns.com>;
>
> Section: 5.3.4.1
>
> Original Text
> -------------
>    ;; Header: QR AA RCODE=3(NXDOMAIN)
>    ;; OPT PSEUDOSECTION:
>    ; EDNS: version: 0, flags: do; udp: 4096
>
>    ;; Question
>    foo.bar.example.com. IN A
>    ;; Authority
>    bar.example.com. NSEC dub.example.com. A DNAME
>    bar.example.com. RRSIG NSEC [valid signature]
>
> Corrected Text
> --------------
>    ;; Header: QR AA RCODE=3(NXDOMAIN)
>    ;; OPT PSEUDOSECTION:
>    ; EDNS: version: 0, flags: do; udp: 4096
>
>    ;; Question
>    foo.bar.example.com. IN A
>    ;; Authority
>    bar.example.com. NSEC dub.example.com. A DNAME RRSIG NSEC
>    bar.example.com. RRSIG NSEC [valid signature]
>
> Notes
> -----
> The NSEC record in the original text would in no case be valid as it denies it's own existence and the existence of the RRSIG, while the text indicates that " the validator can see that it is a  BOGUS reply from an attacker that collated existing records from the DNS to create a confusing reply". This indicates that NSEC and RRSIG should be set in the NSEC bitmap
>
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party
> can log in to change the status and edit the report, if necessary.
>
> --------------------------------------
> RFC6672 (draft-ietf-dnsext-rfc2672bis-dname-26)
> --------------------------------------
> Title               : DNAME Redirection in the DNS
> Publication Date    : June 2012
> Author(s)           : S. Rose, W. Wijngaards
> Category            : PROPOSED STANDARD
> Source              : DNS Extensions
> Area                : Internet
> Stream              : IETF
> Verifying Party     : IESG
>
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf