[dnsext] [Errata Verified] RFC4034 (4552)

RFC Errata System <rfc-editor@rfc-editor.org> Mon, 14 December 2015 15:11 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 98AF21A6F05; Mon, 14 Dec 2015 07:11:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.912
X-Spam-Status: No, score=-106.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id tGCbEFkfjN9v; Mon, 14 Dec 2015 07:11:46 -0800 (PST)
Received: from rfc-editor.org (rfc-editor.org []) by ietfa.amsl.com (Postfix) with ESMTP id B2CA61A6F7D; Mon, 14 Dec 2015 07:11:13 -0800 (PST)
Received: by rfc-editor.org (Postfix, from userid 30) id D280A180208; Mon, 14 Dec 2015 07:08:51 -0800 (PST)
To: benl@google.com, roy.arends@telin.nl, sra@isc.org, mlarson@verisign.com, massey@cs.colostate.edu, scott.rose@nist.gov
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Message-Id: <20151214150851.D280A180208@rfc-editor.org>
Date: Mon, 14 Dec 2015 07:08:51 -0800 (PST)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsext/tE5JfKAR5pNfeqeSf213qcvtO74>
X-Mailman-Approved-At: Mon, 14 Dec 2015 15:20:42 -0800
Cc: brian@innovationslab.net, rfc-editor@rfc-editor.org, iesg@ietf.org, dnsext@ietf.org
Subject: [dnsext] [Errata Verified] RFC4034 (4552)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2015 15:11:47 -0000

The following errata report has been verified for RFC4034,
"Resource Records for the DNS Security Extensions". 

You may review the report below and at:

Status: Verified
Type: Technical

Reported by: Ben Laurie <benl@google.com>
Date Reported: 2015-12-04
Verified by: Brian Haberman (IESG)

Section: Appendix B

Original Text
These groups are then added together, ignoring any carry bits.

Corrected Text
These groups are then added together with at least 32-bit precision,
retaining any carry bits.
The carry bits are then added to the result, and finally, only the lower
16 bits of the result are used as the key tag. Note that this means any
carries generated during the addition of the carry bits are ignored.
This, in turn, means that the keytag calculation is often the same as
reduction modulo 65535, but not always.

Errata 2681 already proposes a fix to Appendix B, however the proposed fix is not quite clear. The first part of the corrected text is from 2681.

Its worth pointing this out because a naive analysis says in fact the keytag is exactly the same as reduction modulo 65535, and this has already wasted a fair amount of time.

It is also worth pointing out, perhaps, that this is a poor choice of algorithm for this particular application as it interacts badly with the properties of keys.

RFC4034 (draft-ietf-dnsext-dnssec-records-11)
Title               : Resource Records for the DNS Security Extensions
Publication Date    : March 2005
Author(s)           : R. Arends, R. Austein, M. Larson, D. Massey, S. Rose
Category            : PROPOSED STANDARD
Source              : DNS Extensions
Area                : Internet
Stream              : IETF
Verifying Party     : IESG