Re: [dnsext] [Technical Errata Reported] RFC4592 (5119)

Olafur Gudmundsson <ogud@ogud.com> Mon, 25 September 2017 00:47 UTC

Return-Path: <ogud@ogud.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC5F813295C for <dnsext@ietfa.amsl.com>; Sun, 24 Sep 2017 17:47:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NO_DNS_FOR_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dM5kjjE9XALz for <dnsext@ietfa.amsl.com>; Sun, 24 Sep 2017 17:47:04 -0700 (PDT)
Received: from smtp123.ord1d.emailsrvr.com (smtp123.ord1d.emailsrvr.com [184.106.54.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB58D13213D for <dnsext@ietf.org>; Sun, 24 Sep 2017 17:47:04 -0700 (PDT)
Received: from smtp16.relay.ord1d.emailsrvr.com (localhost [127.0.0.1]) by smtp16.relay.ord1d.emailsrvr.com (SMTP Server) with ESMTP id CCA4F4006D; Sun, 24 Sep 2017 20:47:03 -0400 (EDT)
X-Auth-ID: ogud@ogud.com
Received: by smtp16.relay.ord1d.emailsrvr.com (Authenticated sender: ogud-AT-ogud.com) with ESMTPSA id 7949F40072; Sun, 24 Sep 2017 20:47:03 -0400 (EDT)
X-Sender-Id: ogud@ogud.com
Received: from [10.20.30.43] (pool-96-255-4-80.washdc.fios.verizon.net [96.255.4.80]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:25 (trex/5.7.12); Sun, 24 Sep 2017 20:47:03 -0400
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Olafur Gudmundsson <ogud@ogud.com>
In-Reply-To: <20170921105406.C6A89B81F0B@rfc-editor.org>
Date: Sun, 24 Sep 2017 20:47:02 -0400
Cc: ed.lewis@neustar.biz, suresh.krishnan@gmail.com, terry.manderson@icann.org, ajs@anvilwalrusden.com, K.Koymans@uva.nl, dnsext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <344ECBBE-7DFB-4E53-8DA0-240ABA4D81F0@ogud.com>
References: <20170921105406.C6A89B81F0B@rfc-editor.org>
To: RFC Errata System <rfc-editor@rfc-editor.org>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/wrzzk-BrVfuDLa0J2F7kRXrk770>
Subject: Re: [dnsext] [Technical Errata Reported] RFC4592 (5119)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Sep 2017 00:47:06 -0000

This errata report is based on a misunderstanding and should be rejected 
There is no harm in synthesizing NSEC records as long as the owner name of the NSEC record sorts before the target name. 

Olafur

> On Sep 21, 2017, at 6:54 AM, RFC Errata System <rfc-editor@rfc-editor.org> wrote:
> 
> The following errata report has been submitted for RFC4592,
> "The Role of Wildcards in the Domain Name System".
> 
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata/eid5119
> 
> --------------------------------------
> Type: Technical
> Reported by: Karst Koymans <K.Koymans@uva.nl>
> 
> Section: 4.7
> 
> Original Text
> -------------
> 4.7.  NSEC RRSet at a Wildcard Domain Name
> 
>   Wildcard domain names in DNSSEC signed zones will have an NSEC RRSet.
>   Synthesis of these records will only occur when the query exactly
>   matches the record.  Synthesized NSEC RRs will not be harmful as they
>   will never be used in negative caching or to generate a negative
>   response [RFC2308].
> 
> 
> Corrected Text
> --------------
> 4.7.  NSEC RRSet at a Wildcard Domain Name
> 
>   Wildcard domain names in DNSSEC signed zones will have an NSEC RRSet.
>   NSEC RRSets must not be synthesized from this wildcard NSEC.
> 
> Notes
> -----
> Synthesizing these records would destroy the semantics of the NSEC chain and could be very harmful if implementations would cache them and use them for "Aggressive Use of DNSSEC-Validated Cache" (RFC 8198).
> 
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party  
> can log in to change the status and edit the report, if necessary. 
> 
> --------------------------------------
> RFC4592 (draft-ietf-dnsext-wcard-clarify-11)
> --------------------------------------
> Title               : The Role of Wildcards in the Domain Name System
> Publication Date    : July 2006
> Author(s)           : E. Lewis
> Category            : PROPOSED STANDARD
> Source              : DNS Extensions
> Area                : Internet
> Stream              : IETF
> Verifying Party     : IESG