Re: [DNSOP] [Technical Errata Reported] RFC6781 (6692)
Matthijs Mekking <matthijs@pletterpet.nl> Fri, 24 September 2021 14:35 UTC
Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A63943A2B15 for <dnsop@ietfa.amsl.com>; Fri, 24 Sep 2021 07:35:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eh3NjpWJnIXt for <dnsop@ietfa.amsl.com>; Fri, 24 Sep 2021 07:35:48 -0700 (PDT)
Received: from lb1-smtp-cloud9.xs4all.net (lb1-smtp-cloud9.xs4all.net [194.109.24.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02B993A2B3A for <dnsop@ietf.org>; Fri, 24 Sep 2021 07:35:47 -0700 (PDT)
Received: from cust-69fe625f ([IPv6:fc0c:c103:c4a6:cf3c:d2f9:56fe:3f93:cb0b]) by smtp-cloud9.xs4all.net with ESMTPSA id TmIhmj0MGMWY7TmIimiMIo; Fri, 24 Sep 2021 16:35:44 +0200
To: Paul Wouters <paul@nohats.ca>
Cc: tjw.ietf@gmail.com, rwilton@cisco.com, dnsop@ietf.org, benno@NLnetLabs.nl, suzworldwide@gmail.com, jarle.greipsland@norid.no, RFC Errata System <rfc-editor@rfc-editor.org>
References: <20210922141813.933D3F40726@rfc-editor.org> <aff1b695-5f9c-369d-51b7-23ea4be020cc@nohats.ca> <53d91282-8df9-3afa-316c-9fc90b2fd3f1@pletterpet.nl> <b0f431b2-e612-abd4-a9b9-b04d7340b336@nohats.ca> <4289d849-e31b-824b-e80d-cde4afa2ab10@pletterpet.nl> <1884f6f8-bf53-94aa-ef6c-f8cc8f33c15e@nohats.ca>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <f1ca76dd-b591-5992-c7f7-4ac565d22415@pletterpet.nl>
Date: Fri, 24 Sep 2021 16:35:43 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0
MIME-Version: 1.0
In-Reply-To: <1884f6f8-bf53-94aa-ef6c-f8cc8f33c15e@nohats.ca>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-CMAE-Envelope: MS4xfK2Xiax/8lRTDRm8qDSmA3/X2gDsY8yPEZYKHO0NP989xnGSi+OlHZQDuy/unM8wQdqTbufVR+TBsvStakwG4OVSU1/a8sOAFgCmXNKu8VO4aHmqkG4S Os6HJiSa0xf8A5tlgL/VkuQ9zNRU/Li3zeA/+8xe3KIrxHiWDLHqcGIhz3fcbXB579g9+1PiNBhOEPsid302TV8Y2m20ENvVMz1UkRiolomUV/URBvH8s5Uw MkDANnKiPQ9ug0H9v0ffW6ZWP6g0mmQ1Ozj367oIgLCiOcCivpQDr6l8uxYMr/fQCsBztPwAx8205H16NT05vNWalWc/y98o0Z8tIisxR6xS2mfdwfs+96l3 +YAvQkMqqW/HjuJOOEkve1RaYHF2YsUX99wMcABBBirreWB0yi4NrI6Y9NhKR2vAI8fypzBb9K71NCiAp61xzce0w3hIAPLsXT/mlG9xtsOk2JVqA9iRbLyT ZpndK38MxP2mKqF352roTQkZZxSxgGA1CUj0Ig==
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/9UpZqSjteoElECdNKTjDKHZAlI0>
Subject: Re: [DNSOP] [Technical Errata Reported] RFC6781 (6692)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2021 14:35:57 -0000
I am going to assume that the DNSKEY of this zone is not a trust anchor. So it is going to use the DS RRset, not a cached DNSKEY RRset, to authenticate the child zone's apex DNSKEY RRset (the one from the response). Then from RFC 4035: o The matching DNSKEY RR in the child zone has the Zone Flag bit set, the corresponding private key has signed the child zone's apex DNSKEY RRset, and the resulting RRSIG RR authenticates the child zone's apex DNSKEY RRset. I read this as the cached DNSKEY RRset does not come into play when validating the DNSKEY RRset from the response, and any implementation that does otherwise is not compliant. - Matthijs On 24-09-2021 15:01, Paul Wouters wrote: > On Fri, 24 Sep 2021, Matthijs Mekking wrote: > >> Second, I believe the corner case you mentioned is for Figure 15 (the >> one in Appendix D), and I don't understand the scenario you are >> describing. What do you mean with "the resolver getting the DNKSEY >> RRset for NS_B would not contain a valid key for the DNSKEY RRset of >> NS_B". I think the resolver would get a new DNSKEY RRset with a >> pre-fetch (or if the DNSKEY RRset was expired from cache) and that >> would be validated with the DNSKEY from the response. > > If it has a valid unexpired DNSKEY RRset, and a resolver fetches that > DNSKEY RRset again, will it use the cached DNSKEY RRset or the DNSKEY RRset > from the fetched record set to validate the signature against the cached > DS RRset ? Or is this implementation specific? > > Paul > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- Re: [DNSOP] [Technical Errata Reported] RFC6781 (… Matthijs Mekking
- [DNSOP] Re: [Technical Errata Reported] RFC6781 (… Warren Kumari
- [DNSOP] [Technical Errata Reported] RFC6781 (6692) RFC Errata System
- Re: [DNSOP] [Technical Errata Reported] RFC6781 (… Paul Wouters
- Re: [DNSOP] [Technical Errata Reported] RFC6781 (… Matthijs Mekking
- Re: [DNSOP] [Technical Errata Reported] RFC6781 (… Paul Wouters
- Re: [DNSOP] [Technical Errata Reported] RFC6781 (… Matthijs Mekking
- Re: [DNSOP] [Technical Errata Reported] RFC6781 (… Paul Wouters
- Re: [DNSOP] [Technical Errata Reported] RFC6781 (… Matthijs Mekking
- [DNSOP] Re: [Technical Errata Reported] RFC6781 (… Peter Thomassen
- [DNSOP] Re: [Technical Errata Reported] RFC6781 (… Warren Kumari