Re: [DNSOP] draft-ietf-dnsop-rfc2845bis-01
Mark Andrews <marka@isc.org> Wed, 31 October 2018 00:15 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2766130DC7 for <dnsop@ietfa.amsl.com>; Tue, 30 Oct 2018 17:15:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fh2Xrv32g8Sp for <dnsop@ietfa.amsl.com>; Tue, 30 Oct 2018 17:15:03 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6920D1277CC for <dnsop@ietf.org>; Tue, 30 Oct 2018 17:15:03 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id EF4403AB041 for <dnsop@ietf.org>; Wed, 31 Oct 2018 00:15:00 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id B7C9A160082 for <dnsop@ietf.org>; Wed, 31 Oct 2018 00:15:00 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id A867316007D for <dnsop@ietf.org>; Wed, 31 Oct 2018 00:15:00 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id mo0JH66ufVsC for <dnsop@ietf.org>; Wed, 31 Oct 2018 00:15:00 +0000 (UTC)
Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 3E676160067 for <dnsop@ietf.org>; Wed, 31 Oct 2018 00:15:00 +0000 (UTC)
From: Mark Andrews <marka@isc.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Message-Id: <820E2C62-E806-4875-9E6C-9301A510980B@isc.org>
Date: Wed, 31 Oct 2018 11:14:57 +1100
To: dnsop <dnsop@ietf.org>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/PmftRO0utM1fb9SryqIXF0ZKThM>
Subject: Re: [DNSOP] draft-ietf-dnsop-rfc2845bis-01
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2018 00:15:05 -0000
When experimenting with what would happen if we defined a well known TSIG key to provide a crypto hash for DNS/UDP to prevent fragmentation attacks being accepted it became clear that RFC2845 was not clear enough in error condition handling. See https://ednscomp.isc.org/compliance/alexa1m-tsig-wkk.txt for a summary of the results (this is being regenerated monthly). The setting of the time fields on BADKEY is not well defined. We had implementations setting the values to zero. Handling of BADKEY with a bad time is also not handled well. I would recommend always copying the time fields from the request to the response for BADKEY and BADALG. This provides the client with some of off path spoof protection. The request’s algorithm field was not always copied to the response on BADKEY. There were various implementations that detected BADKEY but continued processing the query. NOERROR+BADKEY and REFUSED+BADKEY were seen. The ID field in the TSIG of the reply to a forwarded message is not well defined. i.e. should it be the original ID from the request’s TSIG or the ID of the forwarded message. While other data in the initial request is not expected with RFC2845 it should be hashed but otherwise ignored if non empty. There are also some STD13 issues see like returning FORMERR is not done by taking the query and setting the RCODE=FORMERR and setting QR=1. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- Re: [DNSOP] draft-ietf-dnsop-rfc2845bis-01 Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-rfc2845bis-01 Francis Dupont