[dnsext] Re: [Technical Errata Reported] RFC4035 (8037)

Elias Heftrig <elias.heftrig@sit.fraunhofer.de> Mon, 29 July 2024 20:48 UTC

Return-Path: <elias.heftrig@sit.fraunhofer.de>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB7F3C14CEFF for <dnsext@ietfa.amsl.com>; Mon, 29 Jul 2024 13:48:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.004
X-Spam-Level:
X-Spam-Status: No, score=-7.004 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sit.fraunhofer.de header.b="QS1REjxU"; dkim=pass (1024-bit key) header.d=fraunhofer.onmicrosoft.com header.b="IbCrYxIX"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qn5jm2J2iWAC for <dnsext@ietfa.amsl.com>; Mon, 29 Jul 2024 13:48:45 -0700 (PDT)
Received: from mail-edgeBI204.fraunhofer.de (mail-edgebi204.fraunhofer.de [192.102.163.204]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82D5AC1516E0 for <dnsext@ietf.org>; Mon, 29 Jul 2024 13:48:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=sit.fraunhofer.de; i=@sit.fraunhofer.de; q=dns/txt; s=emailbd1; t=1722286124; x=1753822124; h=message-id:date:subject:to:cc:references:from: in-reply-to:content-transfer-encoding:mime-version; bh=80QiE0cSRm4lD4R41ErHy/pnwheRoMzuDxZM/ul66wM=; b=QS1REjxUixRWJM+TsgfqKj2PeEuyWFe59ybFkgVdGtJxow60ejKeN/sU NTUPLjH/sshnaHlEw074fmYGqt/0XnyYSIDBl6BfixEdu9fc65pu7shzC /78z1nq/+C6wgfUUlY+A1zSzekW9SQBIKMAK0/erf0GXDE8rOUjT7hxvR +3ohlXR7bDEuNkpvtSaHV4+gkHAbZhjJFx+HSUjfhkuI3SDIc63Qq30Vt eQgkU+ge2cX054tJPfpl+lWymaNoC3oiPK5Pb4jVvIa/sPPHyLSw8TXMY CMp44hx2zrOudTal+FT8wdomrWISLHPcwKYG74WShN7xqkl/B7oxm6u9u A==;
X-CSE-ConnectionGUID: 5y5tIJsdQN2nPNsmddlTmA==
X-CSE-MsgGUID: bSWpFKvtSzKSilvqOWf51Q==
Authentication-Results: mail-edgeBI204.fraunhofer.de; dkim=pass (signature verified) header.i=@fraunhofer.onmicrosoft.com
X-IPAS-Result: A2EwAwAP/6dm/3maZsBXAx4BAQsSDECBRAuCHCiCYIRWkW0DkUWKdiqBLIElA1YPAQEBAQEBAQEBCAFEBAEBAwSEfwKJQCc0CQ4BAgEDAQEBAQMCAwEBAQEBAQEBAQUBAQYBAQEBAQEGBwKBHYUvRg2ECoEmAQEBAQEBAQEBAQEBHQI1VgEFIw8BBQgBATcBDwsYAgImAgIxJQYOBQIBARALgmEoAYIIAzGsNIEygQGCDAEBBtskGGGBYwkJAYEQLoNvhE4Bhg2DKIEfNoFVRIEVJw6Bc4ECPoEFgxUBKCEmgxSCaYofQYFMgiaDNA8DAQ6CDwENCBZUHCiEJoFIgT58JAJLVxCEUYd0UnscA1khEwFVExcLCQWJTAqDIymBSSaEGYE1FAErgzmBawxhiFSBD4E+gV8Bgz9Lg10KgX9JPyUdQAIBC209NQkLG0OlKgFrBgddBC9ELyQSEzUNBAFNBkWSXTiCawGQGJ8SNAeCNoFigV0GDJ9PBhMvhAWNAIZFjE+FQWSYboJWoGweAheEcAIEAgQFAg8IgWeCFjMaJIM2UhkPjiEXg2PLYXY7AgcBCgEBAwmIbgEBLYFPAQE
IronPort-PHdr: A9a23:VC2GWhBFe1Vlm64NlInsUyQUP0IY04WdBeZowoRy0uEGe/G55J2nJ 0zWv6gz3xfCCJ/W7/tUhuaRqa3kUHwN7cXk0jgOJZJWXgIDicIYkhZmB8iACEbhK+XtYTB8F 8NHBxd+qmq2NUVeBMHkPRjcuHSv6z4VFBjlcA1zI+X+AInJiMqrkuu1/s62AU1I0RSnZrYgA ByqoFfqq8MUjIB+eIM80QDArXYNWsgE7mRuOV+Vg1PA99+9rrtC1gkVhf877M9HV/fKOoEDC JFIBzQvNW84ofbmsxXOVyKjzXsRWWZF93gACQiQyDekWJn7vyL1mcYlhyqdHs3cYp5sGhiG1 bZabiLrqiciOSNo8kD705RJl/cIxXDprUleyaXOUZG0BOYjVLyeOvBGYjZZbsV/anZbDNj/Y tMrN8EEE+pXhqv9nGkWkAGnNFXwO+DTziRnpm3w4axj8usbFwLK3Cg4XO8EnGXqp8/HN5scD c+okYfq93L+b8991S+l1ozsVC15ju+NbatKburJ0m0rNTHKlFyPlbW0Gmq7zc4CvlCd68ZYe uuGr38boj5gnRWV4ZY2pLjKlog55GjcrBd/3p92LOGUZWcuMpa0VZpKsCeCMJFqB9kvWHxsp HMiw6Yd6vZTHQAPwZUjghPTZPGtUtLQvlTtTu+MJzd/in9/Pr6y1F6+8kmln/X1TdL8kE1Lo SxMjsTWuzgT2gbS5MmKRro1/kqo1TuVkQGGwu9eKF0yla3VJoRnxbg1l5EJtl/EEDOwk0Lz5 JI=
X-Talos-CUID: 9a23:Q5N1724GYVdMeHWvgdssqV9JBuEHaXHk6i3WG2mjDGplTIGQYArF
X-Talos-MUID: 9a23:MzgTwAWEjCGcF6bq/DXXuylMF9l02LaNM0EJj4whhMfZbBUlbg==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="6.09,246,1716242400"; d="scan'208";a="2693791"
Received: from mail-mtamuc121.fraunhofer.de ([192.102.154.121]) by mail-edgeBI204.fraunhofer.de with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 29 Jul 2024 22:48:39 +0200
X-CSE-ConnectionGUID: lFjhIdA1RwWUu07KVZK9ag==
X-CSE-MsgGUID: 5JzgWZfsQ2u6h87EH3HpnA==
IronPort-SDR: 66a80025_ixXnW8gUHaQAWq3xem+UafnWeZYEl/U3SX5wyInq3/jA+7f Rzk93Gch0prWuM5sL3KkI1VAtfdvCTiZbsYF+MQ==
X-IPAS-Result: A0CGAgCU/6dm/3+zYZlXAxwBAQEBAQEHAQESAQEEBAEBQAkcgRYHAQELAYFxKigHPoETgQiEVYNNAQGETl+GTwGBdC0DOAGRDIsggSyBJQNWDwEDAQEBAQEIAUQEAQGFBgKJPQInNAkOAQIBAQIBAQEBAwIDAQEBAQEBAQEBBQEBBQEBAQIBAQYFgQ4ThXUNhl4BAQEDEhEPAQUIAQEUIwEPCxgCAiYCAjEHHgYOBQIBARALA4JeKAGCCAMxAgICn0IBgUACiyKBMoEBggwBAQYEBNscGGGBYwkJAYEQLgGDboROAYYNgyiBHzaBVUSBFScOgXOBAj6BBYMVASghJoMUgmmKH0GBTIImgzQPAwEOgg8BDQgWVBwohCaBSIE+fCQCS1cQhFGHdFJ7HANZIRMBVRMXCwkFiUwKgyMpgUkmhBmBNRQBK4M5gWsMYYhUgQ+BPoFfAYM/S4NdCoF/ST8lHUACAQttPTUJCxtDpSoBawYHXQQvRC8kEhM1DQQBTQZFkl04gmsBkBifEjQHgjaBYoFdBgyfTwYTL4QFjQCGRYxPhUFkmG6CVqBsHgIXhHACBAIEBQIPAQEGgWc8gVkzGiSDNk8DGQ+OIReDY8thQzM7AgcBCgEBAwmIbgEBJgeBTQEB
IronPort-PHdr: A9a23:GMlvcxDikBKH64bSBBbEUyQUP0IY04WdBeZowoRy0uEGe/G55J2nJ 0zWv6gz3xfCCJ/W7/tUhuaRqa3kUHwN7cXk0jgOJZJWXgIDicIYkhZmB8iACEbhK+XtYTB8F 8NHBxd+qmq2NUVeBMHkPRjcuHSv6z4VFBjlcA1zI+X+AInJiMqrkuu1/s62AU1I0RSnZrYgA ByqoFfqq8MUjIB+eIM80QDArXYNWsgE7mRuOV+Vg1PA99+9rrtC1gkVhf877M9HV/fKOoEDC JFIBzQvNW84ofbmsxXOVyKjzXsRWWZF93gACQiQyDekWJn7vyL1mcYlhyqdHs3cYp5sGhiG1 bZabiLrqiciOSNo8kD705RJl/cIxXDprUleyaXOUZG0BOYjVLyeOvBGYjZZbsV/anZbDNj/Y tMrN8EEE+pXhqv9nGkWkAGnNFXwO+DTziRnpm3w4axj8usbFwLK3Cg4XO8EnGXqp8/HN5scD c+okYfq93L+b8991S+l1ozsVC15ju+NbatKburJ0m0rNTHKlFyPlbW0Gmq7zc4CvlCd68ZYe uuGr38boj5gnRWV4ZY2pLjKlog55GjcrBd/3p92LOGUZWcuMpa0VZpKsCeCMJFqB9kvWHxsp HMiw6Yd6vZTHQAPwZUjghvDYtm6WNHSu1TtTu+MJzd/in9/Pr6y1F6+8kmln/X1TdL8kE1Lo SxMjsTWuzgT2gbS5MmKRro1/kqo1TuVkQGGwu9eKF0yla3VJoRnxbg1l5EJtl/EEDOwk0Lz5 JI=
IronPort-Data: A9a23:KEKMeqCXzqaCHRVW/2Xnw5YqxClBgxIJ4kV8jS/XYbTApGgihjxRx 2IZDTuPPPqMYmWjf4oja9iz90NS7J/VyYJmOVdlrnsFo1CmBibm6XR1Cm+qYkt+++WaFBoPA /02M4SGcYZtCCeB+39BC5C5xVFkz6aEW7HgP+DNPyF1VGdMRTwo4f5Zs7dRbrVA357hUmthh fuo+5eDYAD/imYtWo4pw/vrRC1H7KyaVAww4wRWicBj5Df2i3QTBZQDEqC9R1OQapVUBOOzW 9HYx7i/+G7Dlz91Yj9yuu+mGqGiaue60Tmm0hK6aYD76vRxjnBaPpIACRYpQRw/ZwNlPzxG4 I4lWZSYEW/FN0BX8QgXe0Ew/ypWZcWq9FJbSJSymZT78qHIT5fj6/FADkEXMaRBwPlIPHwWq t8mGhNcZx/W0opawJrjIgVtrt8mMNGtMZMUujdu1zjEC/YhT53ZBanHjTNa9G5t3YYfQrCHO JtfMGAwBPjDS0Un1lM/BZY/lfzuhnTxbydZp3qOpLZx7XLa0Qpx17bgKpzZd7RmQO0IwRnB/ z2Zl4j/Kkw4JtOg+zSeyyix2O+fwg7bA6IKEpTto5aGh3XWnAT/EiY+TlC8veX/kEmlVvpZK lcIvCUps8Aa71aiZtn0VAGipjiCswJ0c8BeGKg35ACRzbD8+QiSQ2UITyJGcpohrsBebScw3 3eIhNivAiZg2JWQQGmG+6a8pij0Mi8RKnQebDMJCwYJ/rHLrYJ1jx/TQP5sFae0ipv+HjSY6 z2UvS41hLg7hs8Q3KL99lfC6xqrqYXFZgk6+wmRVWWghitwZpWNboq26FzE5PJaMZ2VQ1/Ht 38B8+CS6vsDHY2llSGRTqMKBr7B2hqeGGSB2hs+QNx4qGXooiT8O55Vpjo4Kl1gL8AEfjHke gnftGu9+aNuAZdjVocuC6qZBd4j0K7gEtroTLbTaN9PaYJ2bwiJ4GdlYkv44ownuBFEfXgXY M/GLZSfHjwBBL55zTG7Ye4Y3PV5jmo93G7fD9SzhRiuzbPUNjbfRKYnIWm+SLkzzJqFhwHJr PdZFc+BkCtEXMPEPyL4zI80LHIxF0YdO6zYkcJsW9CmHhtHA0AkUv/Y/qMgcddqnoNTjeb5w Uu+UU55lnv5o2HLCSyXWEBjarrEAJN0qFxiNyksI2St5WkHZLyrzaYAdqkYeass2/xjwMVVE dgEWZSkKdZeRgvX/w8yacHGk7VjUxCwlCSyPyaBSxouTa5KHgDm1IftQVryyXMoECGyi/obn 5Sh8QHqGbw4WAVoCZftWsKFll+ekyAUp7NvYhHuPNJWRUTL9bpqIQzXitscAZkFCTfH9wug+ zemOzUqjsiTnNZt6/jMv76OkKmxGegnHkZ6IXjS3YzrCQbkpFic0a1ye8fWWwvCVVHE2rSoP sRU6PDeDMcpvnh3t6hELrI66p5muvXOoedBwxVGDUf7SQ2hKoldL0ms2ehNsaxwxYFlhzamZ 3LXxP5kPeSmBcC0Nn8QOwsvUcqb3942hDT5zKo4MWf61gBN7ZuFVkRgAAmUuRx4MbJaDoYp4 cU5ipY8+QWPswcYNPSGgh8J8G7WHHgLUvgkhKo7G67usBIgkXtZUKzfCwj3wZCBUMpNOU8UO Q2phLLOqrBf50jaeV8hPCHp8csEorpWozFM7lsJB2rRq+r/nvVtgSFgq2UmfDpa3jBs8rxVO FEyE2ZXOK/X3TNjpPYbblCWAwsbWSGooB3g+WAoyl/cYVKjDFHWDWsHPu2IwkAV3kRcchVf/ 5Ca0GzVainrTu6gwhoNXVNZlNK7QexT7gHinOWVL/aBFbQ+YhvnhfaKTkgMoB3FH8gwpRPmo c9HweVOUpD4ZBUg+/ADN4qn1LorWE+lIk5GSqpf568nJzzXVwyz/jmsEHqPXP1xCcbEymKCM Pw2FPlzD0y/8A2ssgEkAbU9Ju4ovfwxu/sHVLDZBU8HlLq9qjBGtJLb53X5tlAZG95rlcAEC qXJexnfF2eVqyJenm/Tnsx6K069W90lZRL97s+x4u4mB5IOi8AyUEIMybKLkWe0HQtjzRSur Qr8bK7Y9PNjwoJShLnREr1PKgG3CNHrXsGa2VmXn/UXSv2XKubIlQceime/DjRsJbFLBuhGz +WcguD4zGbunegQUVmAv7KjCqMQx8G5fNQPA/LNNHMAwBezAp790SAipVK9B4dCyu5Gx8+dQ AC9Vsu8WPgVV/pZx1xXcyJuKAkcOYumcpbfoT6BkNrUBig/yQDnKPaVxU3tZ0xfdQ4KPMTaI S3wsPCM+NtZjdptADkpOvJYOKJ7cWTTAfYeS97MtDemVzjixhvIv7b5jhMv5A3aEnTOQo6w/ ZvBQQO4bxio/r3ByNZCqYFpoxkLFzBHjPItel4GsctD49xg4LXq8cxGWXneNqxprw==
IronPort-HdrOrdr: A9a23:ZJFOBqolibysHovYISmAfacaV5vKL9V00zEX/kB9WHVpm5Oj+P xGzc526farslsssREb+OxpOMG7MArhHO1OkPIs1NCZLXbbUQqTXf1fBO7ZrQEIdBeOk9K1uZ 0QCZSWTeeAcGSS7vyKkDVQcexQouVvmZrA7Yy1rwYPcegpUdAZ0+4QMHfrLqQcfnggOXNWLu v72iMKnUvFRZxBBf7LeEXtEtKz7+HjpdbDW1orFhQn4A6BgXeB76P7KQGR2lM7XylUybkv3G DZm0ihj5/T+c2T+1v57Sv+/p5WkNzuxp9qA9GNsNEcLnHJhhyzbIpsdrWetHQeof2p6nwtjN 7Qyi1QdPhb2jf0RCWYsBHt0w7v3HIH7GLj80aRhT/ZrcnwVFsBer18rLMcViGcx1srvdl63q 4O9XmerYBrARTJmzm4z8TUVjlx/3DE7kYKoKo2tThyQIEeYLheocg050VOCqoNGyr89cQODP RuNsfB//xbGGnqI0wxhlMfgeBEY05DXitvGiM5y4+oOnlt7T1EJnIjtYIidixqzuN+d3FGj9 60RpiA2os+C/P+VpgNcdvpcfHHeVAlfii8Ql56AW6XYp3vaEi94qIfpo9FoN2XRA==
X-Talos-CUID: 9a23:dtEiJ2F1vGPKB7InqmJj2kwUO8wMK0fC80rNexCbN1RKGbSaHAo=
X-Talos-MUID: 9a23:gO2IxAlQLApctLQrGkhBdno/FtVn3JagE3lXjMsG65apFXdQIzG02WE=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="6.09,246,1716242400"; d="scan'208";a="5771177"
Received: from 153-97-179-127.vm.c.fraunhofer.de (HELO smtp.exch.fraunhofer.de) ([153.97.179.127]) by mail-mtaMUC121.fraunhofer.de with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Jul 2024 22:48:37 +0200
Received: from XCH-HYBRID-04.ads.fraunhofer.de (10.225.9.46) by XCH-HYBRID-03.ads.fraunhofer.de (10.225.9.57) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Mon, 29 Jul 2024 22:48:37 +0200
Received: from FR6P281CU001.outbound.protection.outlook.com (40.93.78.2) by XCH-HYBRID-04.ads.fraunhofer.de (10.225.9.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11 via Frontend Transport; Mon, 29 Jul 2024 22:48:37 +0200
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=cazg/ZWk4vVzLo/uj2bZQBJwJN0lxRYaUWQmc2v4zgZzQOtgjGjRmUIwwNogkwS1SVSRitTw4/bZouGlo/a2Dvgyiev9Ulok2CWyNfj9HLY6H5O3RhWGXNY3k0/UIo5I/BFGvo8NsDrVzjtF6XYbPIo4HA9S1q+tnLvp2CnlncIqVq5FQ/tFKI9lpX6kMQquUjZJp6ZK/Rw9A8lZgIFtQE77GMLvHpnqgCpGiT8KnWbIhFw5QV7KUGWRGhtmdsiDtMitkmtvI12/JPsMTzYr3w7qfPiPjKQLQ2fj4+/ufzllmtQvY0OAI0qnqhmU56Xu0wYhjwfZeP65B/BfI43Apg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LN6nfbeagGD07koKhBGF0+DLRyYNUkJhMfu9jID10Qs=; b=vjettIp+2tfmKrJbcTNRRypzJ6IRtBjCemXFhAWQA2V5PI9u8GIHO7e8XtubqXxvHloRUlnR9axK1mEk8417jm8Q4OqhnFXGXjDnjeFmMQo2PZ/O6v62gP1vwUNYgdE2HXUshBDhJYtURB/NGjtOaIK3pmIjrk0hST8gG0bYRKwEvaAm+2/igKGrYIc1DQLJMth/WK9fOKWw2Bx+SN8UzV8LTzeNia84vlXW/WaYualxdgCPhtihDaF163eAmcrjQ+oE5EtL58Ai5ZP6+aG5pDncgnfF5BOylaWDdA+Jmhq36Q1zWf//rw9P/iESiiXUg+gcqJ6LxidwKnEhdqG3Cg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sit.fraunhofer.de; dmarc=pass action=none header.from=sit.fraunhofer.de; dkim=pass header.d=sit.fraunhofer.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fraunhofer.onmicrosoft.com; s=selector2-fraunhofer-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LN6nfbeagGD07koKhBGF0+DLRyYNUkJhMfu9jID10Qs=; b=IbCrYxIXt5Bw+/K4O4pXkFU2rf3+e0LPCmFdgAJhSZpUrqY44WkTlsGHznTi1IgRnkdhLp+UbDyVcrZkTf4Gu5FJR/UhTCdp0VlLNU0GviXqRwHpsLlJZgrawTQ9M1FsBgePnlDPGaALyTaWyWERO9rFYkxbDFPp1Znvq+aTDEA=
Received: from BE1P281MB1938.DEUP281.PROD.OUTLOOK.COM (2603:10a6:b10:31::9) by FR3P281MB2015.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:2a::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7807.28; Mon, 29 Jul 2024 20:48:36 +0000
Received: from BE1P281MB1938.DEUP281.PROD.OUTLOOK.COM ([fe80::4a45:a3a7:253d:6162]) by BE1P281MB1938.DEUP281.PROD.OUTLOOK.COM ([fe80::4a45:a3a7:253d:6162%5]) with mapi id 15.20.7807.026; Mon, 29 Jul 2024 20:48:31 +0000
Message-ID: <dddfa1d7-fdd4-413f-a2a7-5bda3da5a46c@sit.fraunhofer.de>
User-Agent: Mozilla Thunderbird
To: "Rose, Scott W. (Fed)" <scott.rose@nist.gov>
References: <20240718154431.808BD7FA60@rfcpa.rfc-editor.org> <A1D2718C-186F-4D80-A148-C4A9973F78B6@hactrn.net> <51FBDFB8-263C-41D8-9BDF-BD67A26DF998@nist.gov> <b705f274-3e69-4dcd-98b0-023165aee7d3@sit.fraunhofer.de> <B75EDCC4-87AF-4733-A63A-E7A1515BEF9E@nist.gov>
Content-Language: en-US
From: Elias Heftrig <elias.heftrig@sit.fraunhofer.de>
In-Reply-To: <B75EDCC4-87AF-4733-A63A-E7A1515BEF9E@nist.gov>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-ClientProxiedBy: FR3P281CA0105.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:a1::6) To BE1P281MB1938.DEUP281.PROD.OUTLOOK.COM (2603:10a6:b10:31::9)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BE1P281MB1938:EE_|FR3P281MB2015:EE_
X-MS-Office365-Filtering-Correlation-Id: ee63ac3f-1362-4303-f5f2-08dcb00fcb8c
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|376014|7416014;
X-Microsoft-Antispam-Message-Info: SFl2WFpnAA8SegF3VtXnLESQoX8SaQ+pztXKKT9CEEg279TOtoJ4VpasZJbzB2j/FIvlHS8NFqwoPv/i2RDP33PHvTutTfSzmp1LJSW0RwOkJ9Mtn80zbwi8K30maPVriOwCxtHzj+E1Ztoz2cU2Pqr0xxE7VY0WyA0ys+sAqCRLkweDrZjjryBdidPF++rqHmELU84Flii7YalRY7Y9gb4KixZEV3g9YTrNOa6JFjrwoE2KFOTXjnDVbKUPChhLH+fMuMaJuEixDlPjnvWJFXAip88sD/BKkX6cwaz1rVoTJ2q0gzcAFm1zfVzqBm4pqCpZZlHusaCd+sDWJ3gshCO8G/Aad1T0KpASmoLQFHK9icR8jpDGfLFAEDqDF9TCwEWR2DNGNuFzHjLnHdApNT6LcLGmldhgFDBK7G71GpTLKKkhGN5yfrLsdr9gGzfyXh4DtfQ3POhZU+VBLNxetxtta587oSvtI1eX0T1xFKRbI8Rragic9wFmq7y4akCqIuF/zg5okJ6hElXNRu0vMEDafv3BAqPLGJehsOKtxrlB0vpybwyBieddnA9Gd7qyy6ccn86HETG2juBwOic8XGr0tSeQRm+m6vzZdIbokky3RvYLmgFJAJUY6NKdJnAKro9qn27EBXKeq6wg6A1kUZe2BkaO5dsZJFmiMsLdEnbv49rQr16bIDdUxrvvZmtgBclFrBhZ4qkjL80PMXsJcKjKfE9g5QPhwr5u6SLZP+oabF/waRrpum4Pzo7ITCBWhKigwo1ACMGblOLnqq01qDoXiWTWuIRgiwn6eYpBR4n3TqtVRUCHNsp/+IOaCeT7dNqVhwHchxqagM04bUVC1TsOwToh+cDN20Ppt5JZYe5J5cM1LOQMp7uoUqzALdULym2kF4YshbmomkDIrcEQpEVPxg7z99LXC345YcrYkkNrL+dilRH5S6qWRyQVkt/UvH96SXT7Jm2xEnJqIYLkLSe1AirxtOzjDyXaE++SVVDZtmdATEX1abmOY0pnm/qAjnQGCwHHvfgNn17Go0JPGgTmE7HtxFxgs4Tcy5rCZwQE+1aJFwZlotHCx5tbDWbsOyeXYN73/aFKrkgBkFJdX5M3rpjbvaMNmYEsL8ijZsvJPdvEVq/9F9+TY4r12h/oTSgLZuXP0ZqutJw32brxTCrAyiY4Db1oFPwcc4IBsvQUPYdi5t9hwlBf+s8UGu1BZXV9TTUkmUu54ujqiznqrscVisWYsPs+iXdaJ2JYc7+cKC6iQ/JPLDoQyzNEbPpr7oEckVaPGa/tc+36m+haEkOy+mvcaT2paL5K/vwLgXqoqLwDzYkG13pmbZTrAWWJZwdkAPES3wjk31wJWNHuLQ==
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BE1P281MB1938.DEUP281.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(7416014);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: GwqhK9W6Lvjql318ybUQ6yw5gf6G1wT8xCxlwjL8lNjv8eiKMgH8UyKqLEjZSU/bipR+E1LeF0WGlVI+06CJhbyujn6SYqfVs1AYWnbaQPmAGDnPcmpwgW8/dvw0MiATITWe7bZYtuTGOea8eW+oVesX6ckQV0xV5EY3Rzhb39vKBZpXAiNu7fWC3QrlUljlxIB8xleikflFZ/t+RmCCqaNUvakKpVx9om19eeKjRwkJ+w7g7IXRSL830fyUHcst5UwgcMNInbHRrF67IJpQcl4EzUTOm15kHQHahMtKp5Wf0e6wo2m7EkRqndT0HeamUMS7PxaADkZQjbyD92tx8YURaorreCDqGgi4TOBXkvUZZu5q3RSvCfhvFf1fp23Adp3kPu5PY1ZBrmc2XQ4yLHB51BVS6vMgngPwpZZAE9msT6zh+zlOFmrCIQPsYMkpbbU0aEZlb/kdxrAPu0jHXHc9heHDa9HhU1mOULv03YULWQidTJUWRTJq93tpIIeq7CxDZiMpXu+KpcQkBCTbc/j1gdCl3jg9n+E0rzmRbaTt3QdkyHWoMGHnYR/IucGOGB2MQ+J+ciitAbRpVMyykk9VXkR5SUpDvG+XVXzOMtAYiw/Qg3/osGIqrcmPvUwy6mVtTbbj+kFib8WmXObVY8tVPn+/opaobgFYI6DsEIjJUmLOf/Tr/mplIyQduHj3M1pWZfsYttySY53UsQMHFWPiIJEccrBSOcoQatRKbJCzXTC0UCCR1bk1XQylMW4KllpZh3Bd+j5TX9L/gTAzU7vllIF1T0HmtNRqAmgz4454zoxQR75afdGtcIIdyren8MsWbQbfeZSFTYkIGTvvS75ejQ5823ku34NXZhpWgftaDWj7jJNhCY66HGsipWuckBUhQz7Bg0IN2R1E1cwZ8950cokFj7rY/sg2TwsJ2+TfZQyY/1yQwUMQ9FQ7zADGCLPDttjzY5y7jFwnw4zHf93M2HbwEbXaLoSj3Iy7XqDIYufwJTTafgKMu+6t1NTbAxVoiGzHLHoJin5RQP1vtTHP/2YapIUkVMcH4KFCmPpmwb6xI9ndV2w1fhajmjL97eks0qN4oQMnF1AEN+K/qiSu4L7FSwLHr2R3VP2VI9tUN0NRklF1gtbKSeIXIAlt04ILtV+nJtITJewjbeKX6kDlQzFTIq8iCxs+PUn0hN8q0ipSavs2NH2DytODjTI9sp/v+O8oaclIoDatNLOEFR8kN5Tw/SikDEiSRXsokm1o+/onoboJS8JILADJyt+59BoQxx2VGhWFu6jT0wJ1+B6dKPyMRjW5Fe2bcbW6hU+1Tva8KiyCfgV6GHPmiGB6/mE+/YaeD+TuHwvHnw5WoMT3AAE7SAvLdausg5Iru54F/AUdbyZ6B4473UrOl52bYUHXoQofhCXripQ6On3LmIc8Nm7WwBF3+f6OlWSFgnll0YjdYgbkadrB6Ky616O0GkAJxJg4PljSvQWG8tznjHGE+ZyOoByxkRL7KEh05t0WAnt7ao3au6rEsMu4Og/oTevVXOgYStW/f71IozDFyqAjuVb8QIKZD7/+fD2nProUQeCbdLLqatZuKuKbSC4aRmqgpumeoaaMdkwhAIM5mA==
X-MS-Exchange-CrossTenant-Network-Message-Id: ee63ac3f-1362-4303-f5f2-08dcb00fcb8c
X-MS-Exchange-CrossTenant-AuthSource: BE1P281MB1938.DEUP281.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Jul 2024 20:48:31.6594 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f930300c-c97d-4019-be03-add650a171c4
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: jqfIHDTnSnoqtoGLdPKHEh8ayPzZH3ZDFiYI/kGBJ380eA2iQxPWJ9TTLjMt7sqYK0WH6rTaJGcRvpdwojKV94CRSgjRaFPkVqQxsncBIdk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: FR3P281MB2015
X-OriginatorOrg: sit.fraunhofer.de
X-MailFrom: elias.heftrig@sit.fraunhofer.de
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsext.ietf.org-0
Message-ID-Hash: GANISSTZ4BHCABG234UYR2IQPP5R5LKM
X-Message-ID-Hash: GANISSTZ4BHCABG234UYR2IQPP5R5LKM
X-Mailman-Approved-At: Tue, 30 Jul 2024 11:10:31 -0700
CC: Rob Austein <sra@hactrn.net>, RFC Errata System <rfc-editor@rfc-editor.org>, sra@isc.org, massey@cs.colostate.edu, ek.ietf@gmail.com, evyncke@cisco.com, ogud@ogud.com, dnsext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [dnsext] Re: [Technical Errata Reported] RFC4035 (8037)
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/uEbcYSBlHdDjslJHe4eHgvp0plw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Owner: <mailto:dnsext-owner@ietf.org>
List-Post: <mailto:dnsext@ietf.org>
List-Subscribe: <mailto:dnsext-join@ietf.org>
List-Unsubscribe: <mailto:dnsext-leave@ietf.org>
Date: Mon, 29 Jul 2024 20:48:50 -0000
X-Original-Date: Mon, 29 Jul 2024 22:48:23 +0200

Hi Scott,

as I take it from the IETF120 hallway discussions on the errata an 
update to the RFCs is a viable way to deal with these flaws as well. 
Since updates seem to take quite a while until published, the errata, as 
reported, offer some benefit of warning new implementers about the flaws 
in the meantime (albeit their visibility being somewhat limited). 
Serving that purpose, from my own perspective, an errata status of "Held 
for Document Update" might be the way to go, or else a "Rejected", but 
with a very clear comment that the reported flaws (errata 8037 and 8038) 
are in fact an issue and need to be dealt with by an update to the 
according RFCs. "Held for Document Update" might be a bit clearer in 
that regard.

If I missed out on any discussions behind the scenes and things have 
become clearer in the meantime, please don't hesitate to send me an update.

Thanks much,

Elias




On 19.07.24 15:31, Rose, Scott W. (Fed) wrote:
> Elias,
> My question was more IETF process than technical and how best to do the update so it won’t cause confusion to resolver and validator implementors.  Since this is a validation logic flaw and not just a query issue.
>
> Additionally, if the WG (or community at this point, since the DNSEXT WG is basically concluded) thinks there should be a draft to clarify things that might be better in the long run but not for the change needed to address the KeyTrap vulnerability right now.  Or can the errata process be used to fix a discovered flaw in the protocol RFC if the RFC reflects the original consensus?
>
> Unfortunately, I won’t be at the IETF in person due to budget constraints. I will be following virtually.
>
> Scott
>
> On 18 Jul 2024, at 16:49, Elias Heftrig wrote:
>
>> Hey Scott, the issue is in fact pretty fundamental:
>>
>> Aside from the load implied by NSEC3 iteration counts and a general warning about DoS-by-crypto attacks in the security considerations of RFC4033, the CPU resource requirements of validation have not been addressed much by the DNSSEC specification. Other than that there is a general instruction for DNS resolvers in RFC1035 (Section 7.1.) to "limit the amount of work", which a resolver will do in response to a client request (contextualized with retransmissions, timeouts and circular CNAMEs). However, a) the question is how much that would apply to other DNSSEC validators (a DANE client, possibly?); and b) the number of validations is technically already "limited" (in a "non-infinite" sense) by transport constraints - though obviously not limited to a sufficient degree.
>>
>> In any case it appears reasonable to extend the basic approach of the RFC1035 requirement to DNSSEC validation as well, and a fair share of the patches to CVE-2023-50387 do so, but that entails a whole bunch of follow-up questions: What are the implications of introducing such limits (currently chosen locally at deployments!) on the resolver/domain sides and for scalability of DNS as well as future protocol development...? How much should specification regulate resource consumption at implementations in the first place? If we introduce per-query limits to the specification, how should they be quantified? There would certainly be enough material to fill an RFC on the regulation of DNSSEC validation CPU requirements, though at the risk of adding a (prohibitive) lot of complexity to an already complex protocol.
>>
>> Before I go down the rabbit hole here: We will be attending IETF120 next week and are having a talk on this topic at the co-located ANRW ("Protocol Fixes for KeyTrap Vulnerabilities"). If anyone of you is attending IETF120 as well, we would love to hear your opinion and discuss matters with you there.
>>
>>
>> Regarding the proposed errata:
>>
>> The requirement to try all possible DNSKEYs and the requirement to validate all RRsets in an ANY-type answer (see the additional erratum 8038 for RFC6840) are both MUST requirements. Since they are "absolute specification requirements" (RFC2119) and imply an (un-)certain amount of work, it appears imperative demoting them to SHOULD.
>>
>> Furthermore, supported by the abundance of implementations, which were vulnerable to CVE-2023-50387, a rigorous specification-side guidance on limiting CPU resource consumption - or at least a clear word of warning located at the relevant requirements in the specification - would certainly be beneficial. (Honorable mention here: RFC6840 Section 5.4 "a resolver SHOULD [...] only determine that an RRset is Bogus if all RRSIGs fail validation.")
>>
>> Arguably, MUST requirements (and SHOULD, to a degree) should be "no-brainers", at least to the extent of not being harmful if they are followed literally.
>>
>> Best, Elias
>>
>> On 18.07.24 19:03, Rose, Scott W. (Fed) wrote:
>>> So would the process here be to have an update to RFC 4045?  It sounds like it.  Plus that gives space to provide more guidance to implementors that just “SHOULD”.  For instance - is there an upper bound on the number of keys tried?
>>>
>>> I know that sounds like a lot of overhead for changing what is one keyword at first, but I think this might deserve more than just changing a MUST to a SHOULD.
>>>
>>> Scott
>>>
>>> On 18 Jul 2024, at 12:39, Rob Austein wrote:
>>>
>>>> This is interesting, but I don't think it's an erratum. The text says what the WG intended: if one is attempting to validate the signature, one MUST try them all until one succeeds or one runs out of keys to try.  I believe the reporter is requesting a technical change based on recent analysis, which is a worthy topic for discussion but is not an erratum. Take it to the WG.
>>>> -- 
>>>> Sent from a phone, please excuse typos and brevity
>>> =====================================
>>> Scott Rose
>>> NIST/CTL/WND
>>> scott.rose@nist.gov
>>> ph: 301-975-8439
>>> GoogleVoice: 571-249-3671
>>> =====================================
>
> =====================================
> Scott Rose
> NIST/CTL/WND
> scott.rose@nist.gov
> ph: 301-975-8439
> GoogleVoice: 571-249-3671
> =====================================