Re: [dnsext] [Technical Errata Reported] RFC4592 (5119)
Olafur Gudmundsson <ogud@ogud.com> Mon, 25 September 2017 00:47 UTC
Return-Path: <ogud@ogud.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC5F813295C for <dnsext@ietfa.amsl.com>; Sun, 24 Sep 2017 17:47:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NO_DNS_FOR_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dM5kjjE9XALz for <dnsext@ietfa.amsl.com>; Sun, 24 Sep 2017 17:47:04 -0700 (PDT)
Received: from smtp123.ord1d.emailsrvr.com (smtp123.ord1d.emailsrvr.com [184.106.54.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB58D13213D for <dnsext@ietf.org>; Sun, 24 Sep 2017 17:47:04 -0700 (PDT)
Received: from smtp16.relay.ord1d.emailsrvr.com (localhost [127.0.0.1]) by smtp16.relay.ord1d.emailsrvr.com (SMTP Server) with ESMTP id CCA4F4006D; Sun, 24 Sep 2017 20:47:03 -0400 (EDT)
X-Auth-ID: ogud@ogud.com
Received: by smtp16.relay.ord1d.emailsrvr.com (Authenticated sender: ogud-AT-ogud.com) with ESMTPSA id 7949F40072; Sun, 24 Sep 2017 20:47:03 -0400 (EDT)
X-Sender-Id: ogud@ogud.com
Received: from [10.20.30.43] (pool-96-255-4-80.washdc.fios.verizon.net [96.255.4.80]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:25 (trex/5.7.12); Sun, 24 Sep 2017 20:47:03 -0400
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Olafur Gudmundsson <ogud@ogud.com>
In-Reply-To: <20170921105406.C6A89B81F0B@rfc-editor.org>
Date: Sun, 24 Sep 2017 20:47:02 -0400
Cc: ed.lewis@neustar.biz, suresh.krishnan@gmail.com, terry.manderson@icann.org, ajs@anvilwalrusden.com, K.Koymans@uva.nl, dnsext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <344ECBBE-7DFB-4E53-8DA0-240ABA4D81F0@ogud.com>
References: <20170921105406.C6A89B81F0B@rfc-editor.org>
To: RFC Errata System <rfc-editor@rfc-editor.org>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/wrzzk-BrVfuDLa0J2F7kRXrk770>
Subject: Re: [dnsext] [Technical Errata Reported] RFC4592 (5119)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Sep 2017 00:47:06 -0000
This errata report is based on a misunderstanding and should be rejected There is no harm in synthesizing NSEC records as long as the owner name of the NSEC record sorts before the target name. Olafur > On Sep 21, 2017, at 6:54 AM, RFC Errata System <rfc-editor@rfc-editor.org> wrote: > > The following errata report has been submitted for RFC4592, > "The Role of Wildcards in the Domain Name System". > > -------------------------------------- > You may review the report below and at: > http://www.rfc-editor.org/errata/eid5119 > > -------------------------------------- > Type: Technical > Reported by: Karst Koymans <K.Koymans@uva.nl> > > Section: 4.7 > > Original Text > ------------- > 4.7. NSEC RRSet at a Wildcard Domain Name > > Wildcard domain names in DNSSEC signed zones will have an NSEC RRSet. > Synthesis of these records will only occur when the query exactly > matches the record. Synthesized NSEC RRs will not be harmful as they > will never be used in negative caching or to generate a negative > response [RFC2308]. > > > Corrected Text > -------------- > 4.7. NSEC RRSet at a Wildcard Domain Name > > Wildcard domain names in DNSSEC signed zones will have an NSEC RRSet. > NSEC RRSets must not be synthesized from this wildcard NSEC. > > Notes > ----- > Synthesizing these records would destroy the semantics of the NSEC chain and could be very harmful if implementations would cache them and use them for "Aggressive Use of DNSSEC-Validated Cache" (RFC 8198). > > Instructions: > ------------- > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC4592 (draft-ietf-dnsext-wcard-clarify-11) > -------------------------------------- > Title : The Role of Wildcards in the Domain Name System > Publication Date : July 2006 > Author(s) : E. Lewis > Category : PROPOSED STANDARD > Source : DNS Extensions > Area : Internet > Stream : IETF > Verifying Party : IESG
- [dnsext] [Technical Errata Reported] RFC4592 (511… RFC Errata System
- Re: [dnsext] [Ext] [Technical Errata Reported] RF… Edward Lewis
- Re: [dnsext] [Ext] [Technical Errata Reported] RF… Edward Lewis
- Re: [dnsext] [Technical Errata Reported] RFC4592 … Mark Andrews
- Re: [dnsext] [Technical Errata Reported] RFC4592 … Olafur Gudmundsson