Re: [DNSOP] New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt

Michael Casadevall <> Mon, 26 March 2018 18:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EF8C2126CE8 for <>; Mon, 26 Mar 2018 11:33:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id axsVCxPd3zle for <>; Mon, 26 Mar 2018 11:33:26 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C25AE1250B8 for <>; Mon, 26 Mar 2018 11:33:26 -0700 (PDT)
Received: from [] ( []) by (Postfix) with ESMTPSA id 0F0571F81B for <>; Mon, 26 Mar 2018 18:33:26 +0000 (UTC)
References: <> <> <> <> <> <> <> <> <> <> <> <> <>
From: Michael Casadevall <>
Message-ID: <>
Date: Mon, 26 Mar 2018 14:33:29 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 26 Mar 2018 18:33:28 -0000

On 03/26/2018 02:05 PM, Richard Gibson wrote:
> TSIGs cover "A whole and complete DNS message in wire format, before the
> TSIG RR has been added to the additional data section and before the DNS
> Message Header's ARCOUNT field has been incremented to contain the TSIG
> RR" (RFC 2845 section 3.4.1), and would therefore be sensitive to
> decompression.

I'll go through the TSIG specification in-depth tomorrow, but is that
actually a problem? More specifically, is there a case where a DNS
server is signing TSIG records when it doesn't control the wire
representation of what's being sent?

If it is, then that's a rather large one.

I brought up RRSIG came to mind because a DNS server may be relaying
information it's unable to change/modify (i.e., a signed zone with a
MAILA record). Since RRSIGs sign the canonical form of the record, the
actual wire representation shouldn't matter if I understand the spec
correctly (i.e. compressed/decompressed); an uncompressed MAILA record
would essentially be equivalent to any other RFC 3597 record.

If I'm completely off base here, let me know. I'll follow up with my
findings, but I'm guessing someone will beat me to it.