IETF Logo Mail Archive

Re: [DNSOP] [Technical Errata Reported] RFC8976 (6425)

"Wellington, Brian" <bwelling@akamai.com> Thu, 11 February 2021 19:19 UTC

Return-Path: <bwelling@akamai.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 335053A1883 for <dnsop@ietfa.amsl.com>; Thu, 11 Feb 2021 11:19:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.349
X-Spam-Level:
X-Spam-Status: No, score=-2.349 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LJOQJfcv3jVt for <dnsop@ietfa.amsl.com>; Thu, 11 Feb 2021 11:19:25 -0800 (PST)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CBDB3A187E for <dnsop@ietf.org>; Thu, 11 Feb 2021 11:19:25 -0800 (PST)
Received: from pps.filterd (m0050095.ppops.net [127.0.0.1]) by m0050095.ppops.net-00190b01. (8.16.0.43/8.16.0.43) with SMTP id 11BJDwhI004167; Thu, 11 Feb 2021 19:19:14 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=VWseAUnBsyMshTzTmjgAO+tlwC6UldnqkWZcGgQ0VTc=; b=L7Bo2OnTD0OfhOHDbYmXMGPIT4ltq8cCVr1iEd8qLGGMoSdYISNo5dAxS5mZ49qUtIpK CdImO2neOq75wMSe9xMMg6D2CO5IbnhZJ0f7QTLBBozYDBwxZLiErMbZiKE+KfcrR3ye iMpfmLqv210Iggq7dKLXfjewU1ZjDg1t1o+CoMYgyU6vLqi3b2M5Nct8Aym4k7EqFfoc zB8RM1AE+aI+VZ7PtbFHOew7i9Zl2SU4GrWKNON4Pxt8P5Ud8xs9fEc29b2rd4+ioTxB O2Br0YLOLCTECek15LqU5TU0i3/fzAiHSAQI9qabhuXxD8bJ69wR4ronTGNBO0/NCHc9 5A==
Received: from prod-mail-ppoint3 (a72-247-45-31.deploy.static.akamaitechnologies.com [72.247.45.31] (may be forged)) by m0050095.ppops.net-00190b01. with ESMTP id 36hrv3gk80-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 11 Feb 2021 19:19:14 +0000
Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.16.0.43/8.16.0.43) with SMTP id 11BJJDor016078; Thu, 11 Feb 2021 14:19:13 -0500
Received: from email.msg.corp.akamai.com ([172.27.123.32]) by prod-mail-ppoint3.akamai.com with ESMTP id 36hqb43stp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 11 Feb 2021 14:19:13 -0500
Received: from usma1ex-dag3mb4.msg.corp.akamai.com (172.27.123.56) by usma1ex-dag3mb5.msg.corp.akamai.com (172.27.123.55) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 11 Feb 2021 14:19:10 -0500
Received: from usma1ex-dag3mb4.msg.corp.akamai.com ([172.27.123.56]) by usma1ex-dag3mb4.msg.corp.akamai.com ([172.27.123.56]) with mapi id 15.00.1497.010; Thu, 11 Feb 2021 14:19:10 -0500
From: "Wellington, Brian" <bwelling@akamai.com>
To: "Wessels, Duane" <dwessels@verisign.com>
CC: RFC Errata System <rfc-editor@rfc-editor.org>, "Barber, Piet" <pbarber@verisign.com>, "Weinberg, Matt" <matweinb@amazon.com>, Warren Kumari <warren@kumari.net>, Wes Hardaker <ietf@hardakers.net>, "rwilton@cisco.com" <rwilton@cisco.com>, "<benno@nlnetlabs.nl>" <benno@NLnetLabs.nl>, "suzworldwide@gmail.com" <suzworldwide@gmail.com>, "tjw.ietf@gmail.com" <tjw.ietf@gmail.com>, "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [Technical Errata Reported] RFC8976 (6425)
Thread-Index: AQHXAKrGkZbr5QRnGkeCoSBKf6/ZrA==
Date: Thu, 11 Feb 2021 19:19:10 +0000
Message-ID: <9106CD0F-ABF2-4A44-87CA-B592995553CD@akamai.com>
References: <20210210214825.C81B9F4073F@rfc-editor.org> <D944A6A0-C2F8-4AC7-8327-47EF396D849F@verisign.com>
In-Reply-To: <D944A6A0-C2F8-4AC7-8327-47EF396D849F@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.90.26]
Content-Type: text/plain; charset="utf-8"
Content-ID: <FE9CCB137F68DD4B91F41A409FA6B7AA@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.737 definitions=2021-02-11_07:2021-02-11, 2021-02-11 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 phishscore=0 suspectscore=0 adultscore=0 malwarescore=0 mlxscore=0 spamscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2102110153
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.737 definitions=2021-02-11_07:2021-02-11, 2021-02-11 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 adultscore=0 suspectscore=0 bulkscore=0 malwarescore=0 mlxlogscore=999 priorityscore=1501 spamscore=0 impostorscore=0 phishscore=0 lowpriorityscore=0 clxscore=1011 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2102110152
X-Agari-Authentication-Results: mx.akamai.com; spf=${SPFResult} (sender IP is 72.247.45.31) smtp.mailfrom=bwelling@akamai.com smtp.helo=prod-mail-ppoint3
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/NE0nQmRXXF6w4PZMjR0K5gXhHS0>
Subject: Re: [DNSOP] [Technical Errata Reported] RFC8976 (6425)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2021 19:19:27 -0000

Hi Duane,

I’m not sure if I completely agree with this analysis.  The issue isn’t about validation; it’s about parsing the presentation format.   The RFC says:

   When SHA384 is used, the size of the
   Digest field is 48 octets.  The result of the SHA384 digest algorithm
   MUST NOT be truncated
I’d interpret that as requiring (or at least allowing) a zone file parser to reject the example record as malformed, and fail to parse the zone.  Section 2 is describing the format of the record itself, not the process of validation, so I would expect the specific text in 2.2.3 to be applicable to parsing the record, not validating it.

Thanks,
Brian

> On Feb 11, 2021, at 10:25 AM, Wessels, Duane <dwessels@verisign.com> wrote:
> 
> Brian,
> 
> Thank you for reporting this.  Indeed this example SHA384 digest should have 48 octets, although the A.3 example zone as a whole is still valid because a verifier will either exclude the ZONEMD RR in question either because of the private-use scheme or because it is truncated.  Since the example wasn't intended to include a truncated digest, we think the errata should be accepted and corrected.  Proposed correction:
> 
> example.      86400  IN  ZONEMD  2018031900 241 1 (
>                                 e1846540e33a9e41
>                                 89792d18d5d131f6
>                                 05fc283e8136a8ed
>                                 924937852d0076a3
>                                 fd5cd859c4265eaf
>                                 a8dd75c61e3dc079 )
> 
> DW
> 
> 
>> On Feb 10, 2021, at 1:48 PM, RFC Errata System <rfc-editor@rfc-editor.org> wrote:
>> 
>> Caution: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. 
>> 
>> The following errata report has been submitted for RFC8976,
>> "Message Digest for DNS Zones".
>> 
>> --------------------------------------
>> You may review the report below and at:
>> https://www.rfc-editor.org/errata/eid6425
>> 
>> --------------------------------------
>> Type: Technical
>> Reported by: Brian Wellington <bwelling@akamai.com>
>> 
>> Section: A.3
>> 
>> Original Text
>> -------------
>> example.      86400  IN  ZONEMD  2018031900 241 1 (
>>                                e1846540e33a9e41
>>                                89792d18d5d131f6
>>                                05fc283e )
>> 
>> 
>> Corrected Text
>> --------------
>> <A ZONEMD record with a digest of length 48>
>> 
>> Notes
>> -----
>> 2.2.3 defines Hash Algorithm 1 as SHA384, and says that "the size of the Digest field is 48 octets". There is nothing in 2.2.3 (or 2.2.2, where Scheme is defined) that indicates that Scheme and Hash Algorithm are dependent on each other, so the fact that the Scheme value (241) is private should have no effect on the digest computed by Hash Algorithm 1.
>> 
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". If necessary, please
>> use "Reply All" to discuss whether it should be verified or
>> rejected. When a decision is reached, the verifying party  
>> can log in to change the status and edit the report, if necessary. 
>> 
>> --------------------------------------
>> RFC8976 (draft-ietf-dnsop-dns-zone-digest-14)
>> --------------------------------------
>> Title               : Message Digest for DNS Zones
>> Publication Date    : February 2021
>> Author(s)           : D. Wessels, P. Barber, M. Weinberg, W. Kumari, W. Hardaker
>> Category            : PROPOSED STANDARD
>> Source              : Domain Name System Operations
>> Area                : Operations and Management
>> Stream              : IETF
>> Verifying Party     : IESG
>

v2.23.0 | Report a Bug | By Email