Re: [dnsext] WGLC: RFC6195bis IANA guidance

Olafur Gudmundsson <ogud@ogud.com> Fri, 29 June 2012 18:24 UTC

Return-Path: <ogud@ogud.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 359B921F8838 for <dnsext@ietfa.amsl.com>; Fri, 29 Jun 2012 11:24:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6J2lGOxSnZfs for <dnsext@ietfa.amsl.com>; Fri, 29 Jun 2012 11:24:13 -0700 (PDT)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id EEDE121F877C for <dnsext@ietf.org>; Fri, 29 Jun 2012 11:24:11 -0700 (PDT)
Received: from [IPv6:::1] (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id q5TIO8Us027174; Fri, 29 Jun 2012 14:24:08 -0400 (EDT) (envelope-from ogud@ogud.com)
Message-ID: <4FEDF2C7.7030209@ogud.com>
Date: Fri, 29 Jun 2012 14:24:07 -0400
From: Olafur Gudmundsson <ogud@ogud.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
MIME-Version: 1.0
To: Donald Eastlake <d3e3e3@gmail.com>
References: <201206141304.PAA00956@TR-Sys.de> <CAF4+nEG5L+OQ4qVwSf2q5UdmrZH1aYnVgSVLUW+C7s+yk6XAKg@mail.gmail.com>
In-Reply-To: <CAF4+nEG5L+OQ4qVwSf2q5UdmrZH1aYnVgSVLUW+C7s+yk6XAKg@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.72 on 10.20.30.4
Cc: Alfred HÎnes <ah@tr-sys.de>, dnsext@ietf.org
Subject: Re: [dnsext] WGLC: RFC6195bis IANA guidance
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jun 2012 18:24:14 -0000

On 28/06/2012 22:16, Donald Eastlake wrote:
>   Hi Alfred,
>
> On Thu, Jun 14, 2012 at 9:04 AM, Alfred HÎnes <ah@tr-sys.de> wrote:
>> ...
>>
>> (1)  Section 3.1.4 and/or Appendix B
>>
>> Maybe the IESG will call for a citation for closing the AFSDB
>> sub-registry.  RFC 5864 is the proper reference (and its author has
>> approved the formal closing after checking with the AFS community).
>
> Adding such a reference seems reasonable. I suggest that, just before
> the last sentence of the first paragraph in Section 3.1.4, adding "Use
> of the AFSDB RR to locate AFS cell database servers was deprecated by
> [RFC5864]." and noting this addition in Appendix B.
>
>> (2)  Section 3.2
>>
>> In the RCODE registry (Section 2.3), there is an apparent
>> overloading of RCODE=16:
>>    BADVERS (RFC 2671 / RFC 2671bis) vs. BADSIG (RFC 2845).
>
> Yes. But it seems unlikely to cause a problem as one is only used in
> OPT and one s only used in TSIG.
>
>> Looking back into RFC 2845, it seems that the clerical error
>> has happened at IANA when acting upon the assignments in that RFC.
>> The second paragraph of Section 7 of RFC 2845 (on top of page 13)
>> clearly states:
>>
>> !  IANA is expected to create and maintain a registry of "TSIG Error
>> !  values" to be used for "Error" values as defined in section 2.3.
>> !  Initial values should be those defined in section 1.7.  New TSIG
>> !  error codes for the TSIG error field are assigned using the IETF
>> !  Consensus policy defined in RFC 2434.
>>
>> Note that the TSIG Error field is a component of TSIG RDATA distinct
>> from the RCODE field in the DNS message header and its extension in
>> OPT RRs.  An According to RFC 2845 (which seems to be mostly unaware
>> of EDNS, besides references to binary labels), there is an intentional
>> semantical overlap for Error values 0..15, which are specified as being
>> identical with the non-extended RCODES (0..15) in sect. 1.7 of RFC 2845;
>> the "new" TSIG Error values 16..18 are to be signaled together with
>> RCODE = NotAuth(9) (originally specified in RFC 2136).
>> The idea there obviously was to make TSIG independent of the OPT RR,
>> i.e. to allow TSIG without EDNS, but to this end RFC 2845 likely better
>> had accomodated the extended RCODE BADVERS(16) assigned by RFC 2671 and
>> chosen Error values 17..19 for TSIG purposes.
>
> Of course, your quote from the IANA Considerations of RFC 2845 (TSG)
> is correct; however, I do not think the evidence is all on your side.
> In particular, earlier in RFC 2845, the error field is described as an
> "expanded RCODE".  This is essentially the same term that RFC 2671
> (OPT) uses ("an extended RCODE") and the same term that RFC 2930
> (TKEY) uses ("The error code field is an extended RCODE.").
>
>> However, IANA obviously has registered the actual new values 16..18
>> in the RCODE registry and _not_ established a TSIG Error code registry.
>> Mistakes happen, and it also may be wise to have RCODE values 17 and 18
>> "reserved" so that additional overloading cannot arise in the future.
>>
>> But IMO it would be worth adding "[*]" to the three RCODE registry
>> entries based on RFC 2845: BADSIG, BADKEY, and BADTIME, e.g.:
>>
>>         16    BADSIG    TSIG Signature Failure [*]         [RFC2845]
>>         17    BADKEY    Key not recognized [*]             [RFC2845]
>>         18    BADTIME   Signature out of time window [*]   [RFC2845]
>>
>> ... and to add a footnote to the rigistry that says (e.g.):
>>
>>    [*] These values are only to be used in the Error field of TSIG RRs;
>>        they cannot appear in the (extended) RCODE field of OPT RRs.
>>
>> Also, for added precision and consistency with RFC 2845 and RFC 2930,
>> the last clause in the first paragraph of Section 2.3 should perhaps
>> be adjusted as follows:
>>
>> OLD:
>>    and the TSIG and TKEY RRs have a 16-bit RCODE field.
>>                                            ^^^^^
>> NEW:
>>    and the TSIG and TKEY RRs have a 16-bit Error field.
>>                                            ^^^^^
>
> I believe that the more different DNS error registries there are, the
> more confusion and the more future errors in assignment will occur.
> Except for the values of the 4-bit DNS header un-extended RCODE, for
> which precious few free values exist, there is an abundance of values
> available, so there is no scarcity reason for separate registries with
> potentially overlapping values.  It is also the case that a single
> unified number space for DNS errors has been presented for years in
> RFC 6195, RFC 5395, and RFC 2929 for use in the unextended DNS header,
> the OPT extended DNS header, the TSIG RR error field, and the TKEY
> error field. In all these years, no one has had a problem with there
> being a single, unified DNS error number space. So, to the extent that
> there is any consensus among these document I believe it is for the
> simpler model of a single number space.
>
> To the extent that there s any ambiguity here, I would prefer to
> resolve it by adding text to Section 2.3 of the rfc6195bis draft like
> the following: "To the extent that any prior RFCs imply any sort of
> different error number space for the OPT, TSIG, or TKEY RRs, they are
> superseded by this unified DNS error number space. With the existing
> exception of error number 16, the same error number MUST NOT be
> assigned for different errors even if they would occur in different RR
> types."
>

<RFC2845-editor hat>
As one of perpetrators of this confusion and historian of what happened.
The IANA processing of RFC2671 was a unmitigated disaster,
   OPT got allocated 41  which should have been 25x code
All the other assignments from the document did not take place (more 
below)

TSIG RFC2845 editors assumed single RCODE space but because of IANA 
mistake in processing 2671 we overlooked the double RCODE. The 
inconsistent wording reflects that different people edited different 
versions and the processes of document review in the WG were not up to 
the same standards as today.

<DNSEXT chair hat>
I think Donald's solution is the most appropriate one,
Alfred thanks for brining this up and enabling us to once for all close 
down this confusion.

This happened before I became a co-chair of DNSIND but within 10 minutes 
of the RFC2671 announcement I raised the issue of OPT allocation code, 
but missed the omissions in IANA processing.

If I had noticed that as well I think we would have had a good case to 
reissue the RFC as RFC2671.1.
To be fair to IANA the IANA actions in RFC2671 were badly stated and 
well hidden in the text thus I do not blame IANA solely for this as none 
of the Editors, Chairs, AD's and RFC-editor did notice that the 
processing did not take place. This was one of the triggers in putting 
more formal process in allocations, IANA considerations sections, 
external reviews for IANA actions, ID proto writeup etc.
	
	Olafur