Re: [DNSOP] [Technical Errata Reported] RFC8078 (5049)

Matthijs Mekking <matthijs@pletterpet.nl> Wed, 28 June 2017 08:01 UTC

Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C61312EB78 for <dnsop@ietfa.amsl.com>; Wed, 28 Jun 2017 01:01:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o0V2tWItsXvj for <dnsop@ietfa.amsl.com>; Wed, 28 Jun 2017 01:01:29 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5A8C12EB9B for <dnsop@ietf.org>; Wed, 28 Jun 2017 01:01:28 -0700 (PDT)
Received: from [IPv6:2001:981:19be:1:8963:6456:103b:9dfe] (unknown [IPv6:2001:981:19be:1:8963:6456:103b:9dfe]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 4B7B1B2F3; Wed, 28 Jun 2017 10:01:26 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=pletterpet.nl
To: Dick Franks <rwfranks@acm.org>
Cc: =?UTF-8?Q?Ond=c5=99ej_Caletka?= <Ondrej.Caletka@cesnet.cz>, =?UTF-8?Q?=c3=93lafur_Gu=c3=b0mundsson?= <olafur@cloudflare.com>, tjw ietf <tjw.ietf@gmail.com>, IETF DNSOP WG <dnsop@ietf.org>, Suzanne Woolf <suzworldwide@gmail.com>, pwouters@redhat.com, bclaise@cisco.com, RFC Editor <rfc-editor@rfc-editor.org>
References: <20170623105434.22478B810AB@rfc-editor.org> <CAN6NTqyBg74NF-F8imGiK0ArwxAbhc0uE_xXbX-No+Le8E9DUg@mail.gmail.com> <CAKW6Ri7npS57gupPrUc2aGhsg21u8csx+69GKrCFkeQ6H5Dnxw@mail.gmail.com> <9284fde5-ea75-a25a-3aa1-2e521753dc3e@cesnet.cz> <519c2cb0-0239-e28f-e4e8-6dcb13459d3d@pletterpet.nl> <CAKW6Ri5hsUEFuWmVp1UNauk=C7HykdiA9stQoMcdDs6gd6+axg@mail.gmail.com> <cfed78ae-0133-e883-f579-3a9ca92ccab0@pletterpet.nl> <CAKW6Ri55OMz2ZO27XVNeEYTqscx6hJk+VqTE7p8DyV53uQ0YmA@mail.gmail.com>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <8d9bac0b-102e-f40f-2f8f-21da28d24518@pletterpet.nl>
Date: Wed, 28 Jun 2017 10:01:25 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <CAKW6Ri55OMz2ZO27XVNeEYTqscx6hJk+VqTE7p8DyV53uQ0YmA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/9W-ACoYuG7L0a7JmQA9UdgK4mds>
Subject: Re: [DNSOP] [Technical Errata Reported] RFC8078 (5049)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jun 2017 08:01:31 -0000

On 27-06-17 14:28, Dick Franks wrote:
> 
> On 26 June 2017 at 15:30, Matthijs Mekking <matthijs@pletterpet.nl
> <mailto:matthijs@pletterpet.nl>> wrote:
> 
> 
> 
>     On 26-06-17 13:29, Dick Franks wrote:
> 
>     You misunderstood: Variable length in octets, but not variable in
>     number of RDATA elements
> 
> 
> I did.
> 
> Am I correct in thinking that you want some acknowledgement that 4
> fields exist, but do not really care what the final item is?

RFC 7344 specifies that the CDS RDATA format is the same as DS RDATA
format. RFC 4034 speficies the DS RDATA format contains 4 fields. So by
definition the CDS RDATA contains 4 fields. Same logic applies for
DNSKEY/CDNSKEY.

I suggested indeed one time that we should ignore the Digest (or Public
Key in case of CDNSKEY) if Algorithm is 0, but that is unrelated to this
issue. Since "0" is not valid base64, I would like to see this erratum
accepted to fix the notation in RFC 8078.

Best regards,
  Matthijs
	

>         So an implementer has little choice but to make CDS/CDNSKEY work
>         in accordance with the standard as written until IESG approves
>         something else.
> 
> 
>     Sure, but that is why we are discussing it, not?
> 
> 
> That is what we should be discussing, but this erratum seems to be
> steering us along a road full of potholes that I certainly do not want
> to fall into. IMHO this is based on a misunderstanding of your "mandated
> notation" argument.
>  
>  
> 
>         And when that something else arrives, users will be mightily
>         upset if RFC8078 CDS/CDNSKEY suddenly stops working, so the code
>         will need to cope with both versions.  The only realistic way to
>         achieve that is to determine the entire content of the DELETE
>         CDS/CDNSKEY from the zero algorithm field. Beyond that, the
>         content of the "mandated notation" is irrelevant because it can
>         be left unparsed.
> 
> 
>     My first suggestion for the draft was indeed: In case the DNSSEC
>     algorithm is 0, the Digest/Public Key MUST be ignored.
> 
> 
> I would go further, and say that all fields (except algorithm) MUST be
> ignored
> 
>  
> 
>     But there were concerns that if someone mistyped the algorithm field
>     the DS accidentally gets removed. So now the RFC says that the
>     contents of the CDS or CDNSKEY RRset MUST contain one RR and the "0
>     [0,3] 0 0" notation is mandated.
> 
> 
> The one RR requirement is not in dispute.
> 
> Let us make a start with the following 3 use cases, to see if we can
> come to some common understanding of what we are trying to achieve.
> 
> (1)  CDS arrives on the wire
> 
> cds.example. IN CDS  \# 5 1234 00 56 78      ; silly numbers in most fields
> 
> RDATA as received:
> 
>          'algorithm' => 0,
>          'digestbin' => 'x',
>          'digtype' => 86,
>          'keytag' => 4660,
> 
> Algorithm = 0, so presentation format uses "RFC8078 mandated notation":
> 
> cds.example.    IN    CDS    0 0 0 0

> (2)  DELETE CDS read from zone file, transmitted to parent
> 
> cds.example.    IN    CDS    0 0 0 0
> 
> Algorithm = 0, so this is a DELETE CDS.
> 
> Check that RDATA string matches "mandated notation".
> 
> Coerce all RDATA numerical fields to zero, digest empty.
> 
> Transmitted CDS RR:
> 
> cds.example. IN CDS  \# 4 0000 00 00
> 
> 
> (3)  Normal CDS read from zone file, but with accidental 0 in algorithm
> field
> 
> cds.example. CDS 6485 0 1 2bb183af5f22588179a53b0a98631fad1a292118
> 
> Algorithm = 0, so this is apparently a DELETE CDS.
> 
> Exception raised - RDATA does not match "mandated notation"
> 
> DS saved from accidental deletion:-)
> 
> 
> Obviously, similar logic applies to CDNSKEY.
> 
> --Dick