Re: [dnsext] WGLC: RFC6195bis IANA guidance

[Alfred Hönes <ah@TR-Sys.de>]

I have once more read the most recent version of the rfc6195bis
draft and can approve that most of my previous review comments
for RFC 6195 and this draft have been acted upon satisfactorily.
My special thanks to Donald for his patience with my persistent
urges to improve the clarity in the visual presentation of the
tables; I think the pleasant result is worth the efforts.


Michael Sheldon's remark about "ALL" vs. "ANY" has lead me to
once more check the updated registry tables, and I got stuck
at two details, which lead to new considerations:

(1)  Section 3.1.4 and/or Appendix B

Maybe the IESG will call for a citation for closing the AFSDB
sub-registry.  RFC 5864 is the proper reference (and its author has
approved the formal closing after checking with the AFS community).

(2)  Section 3.2

In the RCODE registry (Section 2.3), there is an apparent
overloading of RCODE=16:
   BADVERS (RFC 2671 / RFC 2671bis) vs. BADSIG (RFC 2845).

Looking back into RFC 2845, it seems that the clerical error
has happened at IANA when acting upon the assignments in that RFC.
The second paragraph of Section 7 of RFC 2845 (on top of page 13)
clearly states:

!  IANA is expected to create and maintain a registry of "TSIG Error
!  values" to be used for "Error" values as defined in section 2.3.
!  Initial values should be those defined in section 1.7.  New TSIG
!  error codes for the TSIG error field are assigned using the IETF
!  Consensus policy defined in RFC 2434.

Note that the TSIG Error field is a component of TSIG RDATA distinct
from the RCODE field in the DNS message header and its extension in
OPT RRs.  An According to RFC 2845 (which seems to be mostly unaware
of EDNS, besides references to binary labels), there is an intentional
semantical overlap for Error values 0..15, which are specified as being
identical with the non-extended RCODES (0..15) in sect. 1.7 of RFC 2845;
the "new" TSIG Error values 16..18 are to be signaled together with
RCODE = NotAuth(9) (originally specified in RFC 2136).
The idea there obviously was to make TSIG independent of the OPT RR,
i.e. to allow TSIG without EDNS, but to this end RFC 2845 likely better
had accomodated the extended RCODE BADVERS(16) assigned by RFC 2671 and
chosen Error values 17..19 for TSIG purposes.

However, IANA obviously has registered the actual new values 16..18
in the RCODE registry and _not_ established a TSIG Error code registry.
Mistakes happen, and it also may be wise to have RCODE values 17 and 18
"reserved" so that additional overloading cannot arise in the future.

But IMO it would be worth adding "[*]" to the three RCODE registry
entries based on RFC 2845: BADSIG, BADKEY, and BADTIME, e.g.:

        16    BADSIG    TSIG Signature Failure [*]         [RFC2845]
        17    BADKEY    Key not recognized [*]             [RFC2845]
        18    BADTIME   Signature out of time window [*]   [RFC2845]

... and to add a footnote to the rigistry that says (e.g.):

   [*] These values are only to be used in the Error field of TSIG RRs;
       they cannot appear in the (extended) RCODE field of OPT RRs.

Also, for added precision and consistency with RFC 2845 and RFC 2930,
the last clause in the first paragraph of Section 2.3 should perhaps
be adjusted as follows:

OLD:
   and the TSIG and TKEY RRs have a 16-bit RCODE field.
                                           ^^^^^
NEW:
   and the TSIG and TKEY RRs have a 16-bit Error field.
                                           ^^^^^


Kind regards,
  Alfred.

-- 

+------------------------+--------------------------------------------+
| TR-Sys Alfred Hoenes   |  Alfred Hoenes   Dipl.-Math., Dipl.-Phys.  |
| Gerlinger Strasse 12   |  Phone: (+49)7156/9635-0, Fax: -18         |
| D-71254  Ditzingen     |  E-Mail:  ah@TR-Sys.de                     |
+------------------------+--------------------------------------------+