[DNSOP] Review of draft-dupont-dnsop-rfc2845bis-00.txt

Mukund Sivaraman <muks@isc.org> Sat, 04 November 2017 06:30 UTC

Return-Path: <muks@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id AD6DE13FB5B for <dnsop@ietfa.amsl.com>; Fri, 3 Nov 2017 23:30:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id AV7k7nHUSBw2 for <dnsop@ietfa.amsl.com>; Fri, 3 Nov 2017 23:30:25 -0700 (PDT)
Received: from mail.banu.com (mail.banu.com [IPv6:2a01:4f8:140:644b::225]) by ietfa.amsl.com (Postfix) with ESMTP id 4075D13FAF3 for <dnsop@ietf.org>; Fri, 3 Nov 2017 23:30:25 -0700 (PDT)
Received: from jurassic.lan.banu.com (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id F391156A0100; Sat, 4 Nov 2017 06:30:21 +0000 (GMT)
Date: Sat, 04 Nov 2017 12:00:18 +0530
From: Mukund Sivaraman <muks@isc.org>
To: dnsop@ietf.org
Message-ID: <20171104063018.GA25223@jurassic.lan.banu.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.9.1 (2017-09-22)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/WrXKcwH5kuw93dzXfCdvJBGwyBI>
Subject: [DNSOP] Review of draft-dupont-dnsop-rfc2845bis-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Nov 2017 06:30:30 -0000

Hi Francis, Stephen

After a reading, I felt that this document needs the following:

* Editing for clarity of sentences
* Addressing insufficient protocol specification

Review follows that suggests changes. Some are nitpicking, but changes
are needed to be pedantically correct.

>    This protocol allows for transaction level authentication using
>    shared secrets and one way hashing.  It can be used to authenticate

I'd start as "This document describes a protocol for transaction level

>    shared secrets and one way hashing.  It can be used to authenticate
>    dynamic updates as coming from an approved client, or to authenticate
>    responses as coming from an approved recursive name server.

s/recursive name server/name server/

>    No provision has been made here for distributing the shared secrets:
>    it is expected that a network administrator will statically configure
>    name servers and clients using some out of band mechanism such as
>    sneaker-net until a secure automated mechanism for key distribution
>    is available.

This paragraph may be misconstrued to imply that such an automated
mechanism is forthcoming. I'd leave it at just this:

"This document does not describe how to distribute the shared secrets.
It is expected that a network administrator will statically configure
name servers and clients using some out of band mechanism."

>    This document includes revised original TSIG specifications
>    (RFC2845) and the extension for HMAC-SHA (RFC4635).

s/and the extension/and its extension/

> 1.  Introduction
>    In 2017, security problems in two nameservers strictly following
>    [RFC2845] and [RFC4635] (i.e., TSIG and HMAC-SHA extension)

s/TSIG and HMAC-SHA extension/TSIG and its HMAC-SHA extension/

>    specifications were discovered.  The implementations were fixed but,
>    to avoid similar problems in the future, the two documents were
>    updated and merged, producing these revised specifications for TSIG.
>    The Domain Name System (DNS) [RFC1034], [RFC1035] is a replicated
>    hierarchical distributed database system that provides information
>    fundamental to Internet operations, such as name <=> address
>    translation and mail handling information.
>    This document specifies use of a message authentication code (MAC),
>    either HMAC-MD5 or HMAC-SHA (keyed hash functions), to provide an
>    efficient means of point-to-point authentication and integrity
>    checking for transactions.

I'd avoid listing the HMACs here and instead refer to the section below
that lists them.

>    The second area where the secret key based MACs specified in this
>    document can be used is to authenticate DNS update requests as well
>    as transaction responses, providing a lightweight alternative to the
>    protocol described by [RFC3007].

It isn't clear how this is different from "first area". DNS updates are
also transactions.

>    A further use of this mechanism is to protect zone transfers.  In
>    this case the data covered would be the whole zone transfer including
>    any glue records sent.  The protocol described by DNSSEC does not
>    protect glue records and unsigned records unless SIG(0) (transaction
>    signature) is used.

I'd avoid including this whole sentence about DNSSEC.

>    The authentication mechanism proposed in this document uses shared
>    secret keys to establish a trust relationship between two entities.

I'd s/shared secret keys/pre-shared secret keys/

>    Such keys must be protected in a fashion similar to private keys,


>    lest a third party masquerade as one of the intended parties (forge
>    MACs).  There is an urgent need to provide simple and efficient
>    authentication between clients and local servers and this proposal
>    addresses that need.  This proposal is unsuitable for general server
>    to server authentication for servers which speak with many other
>    servers, since key management would become unwieldy with the number
>    of shared keys going up quadratically.  But it is suitable for many
>    resolvers on hosts that only talk to a few recursive servers.
>    A server acting as an indirect caching resolver -- a "forwarder" in
>    common usage -- might use transaction-based authentication when
>    communicating with its small number of preconfigured "upstream"
>    servers.  Other uses of DNS secret key authentication and possible
>    systems for automatic secret key distribution may be proposed in
>    separate future documents.
>    Note that use of TSIG presumes prior agreement between the resolver
>    and server involved as to the algorithm and key to be used.

Again this document seems to tie itself to the resolver case only.

s/between the resolver and server/between the client and server/

>    Since the publication of first version of this document ([RFC2845]) a
>    mechanism based on asymmetric signatures using the SIG RR was
>    specified (SIG(0) [RFC2931]) when this document uses symmetric
>    authentication codes calculated by HMAC [RFC2104] using strong hash
>    functions.

s/when this document/whereas this document/

> 4.1.  TSIG RR Type
>    To provide secret key authentication, we use a new RR type whose
>    mnemonic is TSIG and whose type code is 250.  TSIG is a meta-RR and
>    MUST NOT be cached.  TSIG RRs are used for authentication between DNS
>    entities that have established a shared secret key.  TSIG RRs are
>    dynamically computed to cover a particular DNS transaction and are
>    not DNS RRs in the usual sense.

The last sentence doesn't appear to be particularly accurate.
TSIG RRs are dynamically computed to cover specific DNS *messages* or
used possibly sparingly over a message sequence such as with zone
transfers (in this latter case, more than a single TSIG RR may be used).

I'd rewrite it as: "TSIG RRs are dynamically computed to cover DNS
transactions and are not DNS RRs in the usual sense."

> 4.2.  TSIG Calculation
>    As the TSIG RRs are related to one DNS request/response, there is no
>    value in storing or retransmitting them, thus the TSIG RR is
>    discarded once it has been used to authenticate a DNS message.  All
>    multi-octet integers in the TSIG record are sent in network byte
>    order (see [RFC1035] 2.3.2).
> 4.3.  TSIG Record Format
>    NAME  The name of the key used in domain name syntax.  The name
>          should reflect the names of the hosts and uniquely identify the
>          key among a set of keys these two hosts may share at any given
>          time.  If hosts A.site.example and B.example.net share a key,
>          possibilities for the key name include <id>.A.site.example,
>          <id>.B.example.net, and <id>.A.site.example.B.example.net.  It
>          should be possible for more than one key to be in simultaneous
>          use among a set of interacting hosts.  The name only needs to
>          be meaningful to the communicating hosts but a meaningful
>          mnemonic name as above is strongly recommended.
>          The name may be used as a local index to the key involved and
>          it is recommended that it be globally unique.  Where a key is
>          just shared between two hosts, its name actually only need only
>          be meaningful to them but it is recommended that the key name
>          be mnemonic and incorporate the resolver and server host names
>          in that order.
>    TYPE  TSIG (250: Transaction SIGnature)
>    TTL   0

Please include text that TTL MUST be set to 0, class MUST be set to ANY.

>    RdLen (variable)
>    RDATA
> 4.3.1.  TSIG RDATA Wire Format
>    The RDATA for a TSIG RR consists of an octet stream Algorithm Name
>    field, a uint48_t Time Signed field, a uint16_t Fudge field, a
>    uint16_t MAC Size field, a octet stream MAC field, a uint16_t
>    Original ID, a uint16_t Error field, a uint16_t Other Len field and
>    an octet stream of Other Data.
>                             1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
>         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
>        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>        /                         Algorithm Name                        /
>        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>        |                                                               |
>        |          Time Signed          +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>        |                               |            Fudge              |
>        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>        |          MAC Size             |                               /
>        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+             MAC               /
>        /                                                               /
>        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>        |          Original ID          |            Error              |
>        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>        |          Other Len            |                               /
>        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+           Other Data          /
>        /                                                               /
>        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>  The Algorithm Name Field
>    The Algorithm Name field identifies the TSIG algorithm name in the
>    domain name syntax.

Please clarify that this field needs to be in RFC 1035 DNS name wire
format without name compression. Also for clarity I'd first explicitly
specify that unlike with other algorithm fields (represented by
integers) in DNS, the TSIG algorithm identifier is represented as a DNS

>  The Time Signed Field
>    The Time Signed field specifies seconds since 1970-01-01 UTC.
>  The Fudge Field
>    The Fudge field specifies allowed time difference in seconds
>    permitted in the Time Signed field.
>  The MAC Size Field
>    The MAC Size field specifies the length of MAC field in octets.
>    Truncation is indicated by a MAC size less than the HMAC size.
>  The MAC Field
>    The MAC field contents are defined by the used Algorithm.
>  The Error field
>    The Error field contains the Expanded RCODE covering TSIG processing.
>  The Other Len Field
>    The Other Len field specifies the length of Other Data in octets.
>  The Other Data Field
>    The Other Data field is empty unless Error == BADTIME.

What is in the Other Data field if Error is equal to BADTIME? A person
reading this document sequentially will not understand this. Please
introduce what "Other Data" is useful for.

Is it an error to use Other Data when Error != BADTIME?

> 4.4.  Example

Even this example does not follow the "should" recommendation under
section 4.3 above.

>    TTL   0
>    RdLen As appropriate
>    RDATA
>                     Field Name     Contents
>                     -------------- -------------------
>                     Algorithm Name SAMPLE-ALG.EXAMPLE.

Please use a valid algorithm in example.

>                     Time Signed    853804800
>                     Fudge          300
>                     MAC Size       As appropriate
>                     MAC            As appropriate
>                     Original ID    As appropriate
>                     Error          0 (NOERROR)
>                     Other Len      0
>                     Other Data     Empty
> 5.  Protocol Operation
> 5.1.  Effects of adding TSIG to outgoing message
>    Once the outgoing message has been constructed, the keyed message
>    digest operation can be performed.

I'd replace this with "Once the outgoing message has been constructed,
the HMAC computation can be performed."

> The resulting message digest will

I'd use s/message digest/MAC/ for clarity (even though the HMAC
operation outputs a message digest of some data).

>    then be stored in a TSIG which is appended to the additional data
>    section (the ARCOUNT is incremented to reflect this).

When is it incremented? Before MAC computation or after? Please specify.

>    If the TSIG record cannot be added without causing the message to
>    be truncated, the server MUST alter the response so that a TSIG can
>    be included.  This response consists of only the question and a
>    TSIG record, and has the TC bit set and RCODE 0 (NOERROR).  The
>    client SHOULD at this point retry the request using TCP (per
>    [RFC1035] 4.2.2).
> 5.2.  TSIG processing on incoming messages
>    If an incoming message contains a TSIG record, it MUST be the last
>    record in the additional section.  Multiple TSIG records are not
>    allowed.  If a TSIG record is present in any other position, the
>    packet is dropped and a response with RCODE 1 (FORMERR) MUST be
>    returned.  Upon receipt of a message with a correctly placed TSIG RR,
>    the TSIG RR is copied to a safe location, removed from the DNS
>    Message, and decremented out of the DNS message header's ARCOUNT.  At
>    this point the keyed message digest operation is performed: until

Here again, I'd replace keyed message digest with MAC computation for

>    this operation concludes that the signature is valid, the signature
>    MUST be considered to be invalid.  If the algorithm name or key name
>    is unknown to the recipient, or if the message digests do not match,
>    the whole DNS message MUST be discarded.

Perhaps s/discarded/rejected/ is a better wording here.

>    If the message is a query, a response with RCODE 9 (NOTAUTH) MUST
>    be sent back to the originator with TSIG ERROR 17 (BADKEY) or TSIG
>    ERROR 16 (BADSIG).  If no key is available to sign this message it
>    MUST be sent unsigned (MAC size == 0 and empty MAC).  A message to
>    the system operations log SHOULD be generated, to warn the
>    operations staff of a possible security incident in progress.  Care
>    should be taken to ensure that logging of this type of event does
>    not open the system to a denial of service attack.

This passage assumes that something is wrong with the message. It should
be separated into a different paragraph corresponding to what to do when
something is wrong with the message. Surely we must not send NOTAUTH for
messages that validate? The use of a single paragraph in 5.2 is

> 5.3.  Time values used in TSIG calculations
>    The data digested includes the two timer values in the TSIG header in
>    order to defend against replay attacks.  If this were not done, an
>    attacker could replay old messages but update the "Time Signed" and
>    "Fudge" fields to make the message look new.  This data is named
>    "TSIG Timers", and for the purpose of digest calculation they are
>    invoked in their "on the wire" format, in the following order: first
>    Time Signed, then Fudge.  For example:
>      Field Name  Value     Wire Format       Meaning
>      ----------- --------- ----------------- ------------------------
>      Time Signed 853804800 00 00 32 e4 07 00 Tue Jan 21 00:00:00 1997
>      Fudge       300       01 2C             5 minutes
> 5.4.  TSIG Variables and Coverage
>    When generating or verifying the contents of a TSIG record, the
>    following data are digested, in network byte order or wire format, as
>    appropriate:

s/following data are digested/following data are passed as input to MAC

(Yes it is a digest within HMAC.)

> 5.4.1.  DNS Message
>    A whole and complete DNS message in wire format, before the TSIG RR
>    has been added to the additional data section and before the DNS
>    Message Header's ARCOUNT field has been incremented to contain the
>    TSIG RR.  If the message ID differs from the original message ID, the
>    original message ID is substituted for the message ID.  This could
>    happen when forwarding a dynamic update request, for example.
> 5.4.2.  TSIG Variables
>     Source     Field Name     Notes
>     ---------- -------------- -----------------------------------------
>     TSIG RR    NAME           Key name, in canonical wire format
>     TSIG RR    CLASS          (Always ANY in the current specification)
>     TSIG RR    TTL            (Always 0 in the current specification)
>     TSIG RDATA Algorithm Name in canonical wire format
>     TSIG RDATA Time Signed    in network byte order
>     TSIG RDATA Fudge          in network byte order
>     TSIG RDATA Error          in network byte order
>     TSIG RDATA Other Len      in network byte order
>     TSIG RDATA Other Data     exactly as transmitted
>    The RR RDLEN and RDATA MAC Length are not included in the hash since
>    they are not guaranteed to be knowable before the MAC is generated.

s/hash/input to MAC computation/

>    The Original ID field is not included in this section, as it has
>    already been substituted for the message ID in the DNS header and
>    hashed.
>    For each label type, there must be a defined "Canonical wire format"
>    that specifies how to express a label in an unambiguous way.  For
>    label type 00, this is defined in [RFC4034], for label type 01, this
>    is defined in [RFC6891].  The use of label types other than 00 and 01
>    is not defined for this specification.

What? This paragraph does not fit into this document. It seems to appear
in RFC 2845 too. What is this in relevance to?

> 5.4.3.  Request MAC
>    When generating the MAC to be included in a response, the validated
>    request MAC MUST be included in the digest.  If the request MAC

s/digest/MAC computation/

Please be careful when you use "digest" like this as it could be
misconstrued to mean "prepended/appended to the digest output".

>    failed to validate, an unsigned error message MUST be returned
>    instead.  (Section 6.3).
>    The request's MAC is digested in wire format, including the following
>    fields:
>               Field      Type         Description
>               ---------- ------------ ----------------------
>               MAC Length uint16_t     in network byte order
>               MAC Data   octet stream exactly as transmitted
> 5.5.  Padding
>    Digested components are fed into the hashing function as a continuous
>    octet stream with no interfield padding.

Digested components? Are components digested before feeding them into
the MAC function?

> 6.  Protocol Details
> 6.1.  TSIG generation on requests
>    Client performs the message digest operation and appends a TSIG
>    record to the additional data section and transmits the request to
>    the server.  The client MUST store the message digest from the

s/message digest/MAC/

>    request while awaiting an answer.  The digest components for a
>    request are:
>       DNS Message (request)
>       TSIG Variables (request)
>    Note that some older name servers will not accept requests with a
>    nonempty additional data section.  Clients SHOULD only attempt signed
>    transactions with servers who are known to support TSIG and share
>    some secret key with the client -- so, this is not a problem in
>    practice.
> 6.2.  TSIG on Answers
>    When a server has generated a response to a signed request, it signs
>    the response using the same algorithm and key.  The server MUST NOT
>    generate a signed response to an unsigned request or a request that
>    fails validation.  The digest components are:
>       Request MAC
>       DNS Message (response)
>       TSIG Variables (response)
> 6.3.  TSIG on TSIG Error returns
>    When a server detects an error relating to the key or MAC, the server
>    SHOULD send back an unsigned error message (MAC size == 0 and empty
>    MAC).  If an error is detected relating to the TSIG validity period
>    or the MAC is too short for the local policy, the server SHOULD send
>    back a signed error message.  The digest components are:
>       Request MAC (if the request MAC validated)
>       DNS Message (response)
>       TSIG Variables (response)
>    The reason that the request is not included in this digest in some
>    cases is to make it possible for the client to verify the error.  If
>    the error is not a TSIG error the response MUST be generated as
>    specified in Section 6.2.
> 6.4.  TSIG on TCP connection
>    A DNS TCP session can include multiple DNS envelopes.  This is, for
>    example, commonly used by zone transfer.  Using TSIG on such a
>    connection can protect the connection from hijacking and provide data
>    integrity.  The TSIG MUST be included on the first and last DNS
>    envelopes.  It can be optionally placed on any intermediary
>    envelopes.  It is expensive to include it on every envelopes, but it
>    MUST be placed on at least every 100'th envelope.  The first envelope
>    is processed as a standard answer, and subsequent messages have the
>    following digest components:
>       Prior Digest (running)
>       DNS Messages (any unsigned messages since the last TSIG)
>       TSIG Timers (current message)
>    This allows the client to rapidly detect when the session has been
>    altered; at which point it can close the connection and retry.  If a
>    client TSIG verification fails, the client MUST close the connection.
>    If the client does not receive TSIG records frequently enough (as
>    specified above) it SHOULD assume the connection has been hijacked
>    and it SHOULD close the connection.  The client SHOULD treat this the
>    same way as they would any other interrupted transfer (although the
>    exact behavior is not specified).

When reading RFC 2845, I felt this section was underspecified and this
document seems to replicate it.

1. s/envelope/message/ for consistency. It is confusing to have such
synonyms without any explanation.

2. The first paragraph is not properly written. A "DNS TCP session" can
be a single DNS connection. It can also accept mutiple pipelined
messages (separate transactions) which are not continuations.

AIUI, the sparse signing of intermediate messages in a TSIG TCP
continuation is only for the zone transfer case, and not for pipelined
TCP messages (separate transactions). Please correct me if I'm wrong,
and if I'm not wrong, then please rewrite this text specifically for
TSIG for zone transfers.

3. "Prior Digest (running)" is inadequately specified. A new reader of
this document will not understand what it is.

Also, s/The first envelope is processed as a standard answer, and
subsequent messages have the following digest components/The first
message is processed normally generating a TSIG RR, and the TSIG RR in
subsequent messages is generated with the MAC computation over the
following components in sequence/

4. I'd remove the text "It is expensive to include it on every

As an example, BIND and Knot currently includes TSIG RR in every DNS
message in a zone transfer, whereas NSD currently includes it
sparsely. I don't think any users notice it as particularly
expensive. It is after all just hashing below.

Whether something is expensive in space or time also doesn't stand the
test of time, so I'd not include a statement that states definitely that
it is expensive.

> 6.5.  Server TSIG checks
>    Upon receipt of a message, server will check if there is a TSIG RR.
>    If one exists, the server is REQUIRED to return a TSIG RR in the
>    response.  The server MUST perform the following checks in the
>    following order, check Key, check MAC, check Time values, check
>    Truncation policy.
> 6.5.1.  Key check and error handling
>    If a non-forwarding server does not recognize the key used by the
>    client, the server MUST generate an error response with RCODE 9
>    (NOTAUTH) and TSIG ERROR 17 (BADKEY).  This response MUST be unsigned
>    as specified in Section 6.3.  The server SHOULD log the error.
> 6.5.2.  Specifying Truncation

Shouldn't this section be moved to appear after the time checks below
(6.5.4) in logical order?

>    When space is at a premium and the strength of the full length of an
>    HMAC is not needed, it is reasonable to truncate the HMAC and use the
>    truncated value for authentication.  HMAC SHA-1 truncated to 96 bits
>    is an option available in several IETF protocols, including IPsec and
>    TLS.
>    Processing of a truncated MAC follows these rules
>    1.  If "MAC size" field is greater than HMAC output length:
>        This case MUST NOT be generated and, if received, MUST cause the
>        packet to be dropped and RCODE 1 (FORMERR) to be returned.

s/packet/DNS message/

>    2.  If "MAC size" field equals HMAC output length:
>        The entire output HMAC output is present and used.
>    3.  "MAC size" field is less than HMAC output length but greater than
>        that specified in case 4, below:
>        This is sent when the signer has truncated the HMAC output to an
>        allowable length, as described in [RFC2104], taking initial
>        octets and discarding trailing octets.  TSIG truncation can only
>        be to an integral number of octets.  On receipt of a packet with
>        truncation thus indicated, the locally calculated MAC is
>        similarly truncated and only the truncated values are compared
>        for authentication.  The request MAC used when calculating the
>        TSIG MAC for a reply is the truncated request MAC.

How about the "Prior Digest (running)" (section 6.4) ? Please specify.

>    4.  "MAC size" field is less than the larger of 10 (octets) and half
>        the length of the hash function in use:
> Dupont & Morris            Expires May 3, 2018                 [Page 12]
> Internet-Draft                  DNS TSIG                    October 2017
>        With the exception of certain TSIG error messages described in
>        Section 6.3, where it is permitted that the MAC size be zero,
>        this case MUST NOT be generated and, if received, MUST cause the
>        packet to be dropped and RCODE 1 (FORMERR) to be returned.
> 6.5.3.  MAC check and error handling
>    If a TSIG fails to verify, the server MUST generate an error response
>    as specified in Section 6.3 with RCODE 9 (NOTAUTH) and TSIG ERROR 16
>    (BADSIG).  This response MUST be unsigned as specified in
>    Section 6.3.  The server SHOULD log the error.
> 6.5.4.  Time check and error handling
>    If the server time is outside the time interval specified by the
>    request (which is: Time Signed, plus/minus Fudge), the server MUST
>    generate an error response with RCODE 9 (NOTAUTH) and TSIG ERROR 18
>    (BADTIME).  The server SHOULD also cache the most recent time signed
>    value in a message generated by a key, and SHOULD return BADTIME if a
>    message received later has an earlier time signed value.  A response
>    indicating a BADTIME error MUST be signed by the same key as the
>    request.  It MUST include the client's current time in the time
>    signed field, the server's current time (a uint48_t) in the other
>    data field, and 6 in the other data length field.  This is done so
>    that the client can verify a message with a BADTIME error without the
>    verification failing due to another BADTIME error.  The data signed
>    is specified in Section 6.3.  The server SHOULD log the error.
> 6.5.5.  Truncation check and error handling
>    If a TSIG is received with truncation that is permitted under
>    Section 6.5.2 above but the MAC is too short for the local policy in
>    force, an RCODE 9 (NOTAUTH) and TSIG ERROR 22 (BADTRUNC) MUST be
>    returned.  The server SHOULD log the error.
> 6.6.  Client processing of answer
>    When a client receives a response from a server and expects to see a
>    TSIG, it first checks if the TSIG RR is present in the response.
>    Otherwise, the response is treated as having a format error and
>    discarded.  The client then extracts the TSIG, adjusts the ARCOUNT,
>    and calculates the keyed digest in the same way as the server,
>    applying the same rules to decide if truncated MAC is valid.  If the
>    TSIG does not validate, that response MUST be discarded, unless the
>    RCODE is 9 (NOTAUTH), in which case the client SHOULD attempt to
>    verify the response as if it were a TSIG Error response, as specified
>    in Section 6.3.  A message containing an unsigned TSIG record or a
>    TSIG record which fails verification SHOULD NOT be considered an
> Dupont & Morris            Expires May 3, 2018                 [Page 13]
> Internet-Draft                  DNS TSIG                    October 2017
>    acceptable response; the client SHOULD log an error and continue to
>    wait for a signed response until the request times out.
> 6.6.1.  Key error handling
>    If an RCODE on a response is 9 (NOTAUTH), and the response TSIG
>    validates, and the TSIG key is different from the key used on the
>    request, then this is a Key error.  The client MAY retry the request
>    using the key specified by the server.  This should never occur, as a
>    server MUST NOT sign a response with a different key than signed the
>    request.
> 6.6.2.  MAC error handling
>    If the response RCODE is 9 (NOTAUTH) and TSIG ERROR is 16 (BADSIG),
>    this is a MAC error, and client MAY retry the request with a new
>    request ID but it would be better to try a different shared key if
>    one is available.  Clients SHOULD keep track of how many MAC errors
>    are associated with each key.  Clients SHOULD log this event.
> 6.6.3.  Time error handling
>    If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 18
>    (BADTIME), or the current time does not fall in the range specified
>    in the TSIG record, then this is a Time error.  This is an indication
>    that the client and server clocks are not synchronized.  In this case
>    the client SHOULD log the event.  DNS resolvers MUST NOT adjust any
>    clocks in the client based on BADTIME errors, but the server's time
>    in the other data field SHOULD be logged.
> 6.6.4.  Truncation error handling
>    If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 22
>    (BADTRUNC) the this is a Truncation error.  The client MAY retry with
>    lesser truncation up to the full HMAC output (no truncation), using
>    the truncation used in the response as a hint for what the server
>    policy allowed (Section 8).  Clients SHOULD log this event.
> 6.7.  Special considerations for forwarding servers
>    A server acting as a forwarding server of a DNS message SHOULD check
>    for the existence of a TSIG record.  If the name on the TSIG is not
>    of a secret that the server shares with the originator the server
>    MUST forward the message unchanged including the TSIG.  If the name
>    of the TSIG is of a key this server shares with the originator, it
>    MUST process the TSIG.  If the TSIG passes all checks, the forwarding
>    server MUST, if possible, include a TSIG of his own, to the
>    destination or the next forwarder.  If no transaction security is
> Dupont & Morris            Expires May 3, 2018                 [Page 14]
> Internet-Draft                  DNS TSIG                    October 2017
>    available to the destination and the response has the AD flag (see
>    [RFC4035]), the forwarder MUST unset the AD flag before adding the
>    TSIG to the answer.
> 7.  Algorithms and Identifiers
>    The only message digest algorithm specified in the first version of
>    these specifications [RFC2845] was "HMAC-MD5" (see [RFC1321],
>    [RFC2104]).  The "HMAC-MD5" algorithm is mandatory to implement for
>    interoperability.
>    The use of SHA-1 [FIPS180-4], [RFC3174], (which is a 160-bit hash as
>    compared to the 128 bits for MD5), and additional hash algorithms in
>    the SHA family [FIPS180-4], [RFC3874], [RFC6234] with 224, 256, 384,
>    and 512 bits may be preferred in some cases.  This is because
>    increasingly successful cryptanalytic attacks are being made on the
>    shorter hashes.
>    Use of TSIG between a DNS resolver and server is by mutual agreement.
>    That agreement can include the support of additional algorithms and
>    criteria as to which algorithms and truncations are acceptable,
>    subject to the restriction and guidelines in Section 6.5.2 above.
>    Key agreement can be by the TKEY mechanism [RFC2930] or some other
>    mutually agreeable method.
>    The current HMAC-MD5.SIG-ALG.REG.INT and gss-tsig identifiers are
>    included in the table below for convenience.  Implementations that
>    support TSIG MUST also implement HMAC SHA1 and HMAC SHA256 and MAY
>    implement gss-tsig and the other algorithms listed below.
>                    Requirement Name
>                    ----------- ------------------------
>                    Mandatory   HMAC-MD5.SIG-ALG.REG.INT
>                    Optional    gss-tsig
>                    Mandatory   hmac-sha1
>                    Optional    hmac-sha224
>                    Mandatory   hmac-sha256
>                    Optional    hmac-sha384
>                    Optional    hmac-sha512
>    SHA-1 truncated to 96 bits (12 octets) SHOULD be implemented.

I don't know if it is outside the scope of this revision to alter this
table but I see two things:

1. SHA-512 is a faster hash than SHA-256, and so it would be better to
make support for SHA-512 and its truncated SHA-384 mandatory.

2. It makes little sense to support SHA-384 and SHA-224 when we already
support MAC truncation in the protocol itself.

3. HMAC-MD5 is still a secure HMAC currently, but it is discouraged for
new applications because it is built on top of MD5 which is barred for
new applications (RFC 6151).

I'm not sure if this revision constitutes a new application (as it is
still the backwards compatible protocol), but would it be allowed to
specify the use of MD5 on the path to RFC?

> 8.  TSIG Truncation Policy
>    Use of TSIG is by mutual agreement between a resolver and server.

Please remove this limitation of TSIG being between resolver and server
everywhere in the document.

>    Implicit in such an "agreement" are criteria as to acceptable keys
>    and algorithms and, with the extensions in this document,
>    truncations.  Note that it is common for implementations to bind the
> Dupont & Morris            Expires May 3, 2018                 [Page 15]
> Internet-Draft                  DNS TSIG                    October 2017
>    TSIG secret key or keys that may be in place at a resolver and server
>    to particular algorithms.  Thus, such implementations only permit the
>    use of an algorithm if there is an associated key in place.  Receipt
>    of an unknown, unimplemented, or disabled algorithm typically results
>    in a BADKEY error.
>    Local policies MAY require the rejection of TSIGs, even though they
>    use an algorithm for which implementation is mandatory.
>    When a local policy permits acceptance of a TSIG with a particular
>    algorithm and a particular non-zero amount of truncation, it SHOULD
>    also permit the use of that algorithm with lesser truncation (a
>    longer MAC) up to the full HMAC output.
>    Regardless of a lower acceptable truncated MAC length specified by
>    local policy, a reply SHOULD be sent with a MAC at least as long as
>    that in the corresponding request.  Note if the request specified a
>    MAC length longer than the HMAC output it will be rejected by
>    processing rules Section 6.5.2 case 1.
>    Implementations permitting multiple acceptable algorithms and/or
>    truncations SHOULD permit this list to be ordered by presumed
>    strength and SHOULD allow different truncations for the same
>    algorithm to be treated as separate entities in this list.  When so
>    implemented, policies SHOULD accept a presumed stronger algorithm and
>    truncation than the minimum strength required by the policy.
> 9.  Shared Secrets
>    Secret keys are very sensitive information and all available steps
>    should be taken to protect them on every host on which they are
>    stored.  Generally such hosts need to be physically protected.  If
>    they are multi-user machines, great care should be taken that
>    unprivileged users have no access to keying material.  Resolvers
>    often run unprivileged, which means all users of a host would be able
>    to see whatever configuration data is used by the resolver.
>    A name server usually runs privileged, which means its configuration
>    data need not be visible to all users of the host.  For this reason,
>    a host that implements transaction-based authentication should
>    probably be configured with a "stub resolver" and a local caching and
>    forwarding name server.  This presents a special problem for
>    [RFC2136] which otherwise depends on clients to communicate only with
>    a zone's authoritative name servers.

This seems use-case specific.

>    Use of strong random shared secrets is essential to the security of
>    TSIG.  See [RFC4086] for a discussion of this issue.  The secret
> Dupont & Morris            Expires May 3, 2018                 [Page 16]
> Internet-Draft                  DNS TSIG                    October 2017
>    SHOULD be at least as long as the keyed message digest, i.e., 16
>    bytes for HMAC-MD5 or 20 bytes for HMAC-SHA1.

I'd remove this example from here and add a field for minimum secret
length to the table of supported algorithms above.

> 10.  IANA Considerations
>    IANA maintains a registry of algorithm names to be used as "Algorithm
>    Names" as defined in Section 4.3.  Algorithm names are text strings
>    encoded using the syntax of a domain name.  There is no structure
>    required other than names for different algorithms must be unique
>    when compared as DNS names, i.e., comparison is case insensitive.
>    Previous specifications [RFC2845] and [RFC4635] defined values for
>    HMAC MD5 and SHA.  IANA has also registered "gss-tsig" as an
>    identifier for TSIG authentication where the cryptographic operations
>    are delegated to the Generic Security Service (GSS) [RFC3645].
>    New algorithms are assigned using the IETF Consensus policy defined
>    in [RFC8126].  The algorithm name HMAC-MD5.SIG-ALG.REG.INT looks like
>    a fully-qualified domain name for historical reasons; other algorithm
>    names are simple (i.e., single-component) names.
>    IANA maintains a registry of "TSIG Error values" to be used for
>    "Error" values as defined in Section 4.3.  Initial values should be
>    those defined in Section 3.  New TSIG error codes for the TSIG error
>    field are assigned using the IETF Consensus policy defined in
>    [RFC8126].
> 11.  Security Considerations
>    The approach specified here is computationally much less expensive
>    than the signatures specified in DNSSEC.  As long as the shared
>    secret key is not compromised, strong authentication is provided for
>    the last hop from a local name server to the user resolver.

This is again use-case specific. I'd replace this with "is provided
between client and server."

>    Secret keys should be changed periodically.

How periodically? I suggest referring to RFC 2104 section 3 rather than
recommending best practice here.

>    If the client host has been compromised, the server should suspend
>    the use of all secrets known to that client.  If possible, secrets
>    should be stored in encrypted form.  Secrets should never be
>    transmitted in the clear over any network.  This document does not
>    address the issue on how to distribute secrets.  Secrets should
>    never be shared by more than two entities.
>    This mechanism does not authenticate source data, only its
>    transmission between two parties who share some secret.  The original
>    source data can come from a compromised zone master or can be
>    corrupted during transit from an authentic zone master to some
>    "caching forwarder."  However, if the server is faithfully performing
>    the full DNSSEC security checks, then only security checked data will
>    be available to the client.
> Dupont & Morris            Expires May 3, 2018                 [Page 17]
> Internet-Draft                  DNS TSIG                    October 2017
>    A fudge value that is too large may leave the server open to replay
>    attacks.  A fudge value that is too small may cause failures if
>    machines are not time synchronized or there are unexpected network
>    delays.  The recommended value in most situation is 300 seconds.

I have felt that 300s (5 minutes) is too long to make up for clock skew
and message transmission delays. It becomes possible for a
man-in-the-middle to replay traffic (such as DNS UPDATEs) during this
opportunity window.

Server and client clocks must be synchronized to a common time, and it
is very improbable that a machine synchronizing to a clock source (e.g.,
using NTP software such as ntpd or chronyd) is off by more than a single
digit number of seconds.

It appears that the fudge time is not configurable at least in BIND
(without patching the source code).

>    For all of the message authentication code algorithms listed in this
>    document, those producing longer values are believed to be stronger;
>    however, while there have been some arguments that mild truncation
>    can strengthen a MAC by reducing the information available to an
>    attacker, excessive truncation clearly weakens authentication by
>    reducing the number of bits an attacker has to try to break the
>    authentication by brute force [RFC2104].
>    Significant progress has been made recently in cryptanalysis of hash
>    functions of the types used here, all of which ultimately derive from
>    the design of MD4.

After SHA-3 (though it is not yet in the table of TSIG algorithms as
HMAC currently), saying that all hash functions derive from the design
of MD4 would be incorrect, so I'd remove the last part of the sentence
above for future proofing.

>    While the results so far should not effect HMAC,
>    the stronger SHA-1 and SHA-256 algorithms are being made mandatory
>    due to caution.  Note that today SHA-3 [FIPS202] is available as an
>    alternative to SHA-2 using a very different design.

Available as TSIG algorithm? Unless it is added to the table above, I
suggest removing this reference.

>    See also the Security Considerations section of [RFC2104] from which
>    the limits on truncation in this RFC were taken.
> 11.1.  Issue fixed in this document
>    To bind an answer with its corresponding request the MAC of the
>    answer is computed using the MAC request.  Unfortunately original
>    specifications [RFC2845] failed to clearly require the MAC request to
>    be successfully validated.

I suggest rewriting this:

When signing a DNS reply message using TSIG, its MAC computation uses
the request message's MAC as an input to cryptographically relate the
reply to the request.  Unfortunately, the original TSIG specification
[RFC2845] failed to clearly require the request MAC to be successfully
validated before using it. This created a security vulnerability [add
reference to Synacktiv paper].

>    This document proposes the principle that the MAC must be considered
>    to be invalid until it was validated.  This leads to the requirement
>    that only a validated request MAC is included in a signed answer.  Or
>    with other words when the request MAC was not validated the answer
>    must be unsigned with a BADKEY or BADSIG TSIG error.

"This document makes it a requirement that the request MAC must be
considered to be invalid until it passes validation."

> 11.2.  Why not DNSSEC?
>    This section from the original document [RFC2845] analyzes DNSSEC in
>    order to justify the introduction of TSIG.
>    DNS has recently been extended by DNSSEC ([RFC4033], [RFC4034] and
>    [RFC4035]) to provide for data origin authentication, and public key
>    distribution, all based on public key cryptography and public key
>    based digital signatures.  To be practical, this form of security
>    generally requires extensive local caching of keys and tracing of
>    authentication through multiple keys and signatures to a pre-trusted
>    locally configured key.
> Dupont & Morris            Expires May 3, 2018                 [Page 18]
> Internet-Draft                  DNS TSIG                    October 2017
>    One difficulty with the DNSSEC scheme is that common DNS
>    implementations include simple "stub" resolvers which do not have
>    caches.  Such resolvers typically rely on a caching DNS server on
>    another host.  It is impractical for these stub resolvers to perform
>    general DNSSEC authentication and they would naturally depend on
>    their caching DNS server to perform such services for them.  To do so
>    securely requires secure communication of queries and responses.
>    DNSSEC provides public key transaction signatures to support this,
>    but such signatures are very expensive computationally to generate.
>    In general, these require the same complex public key logic that is
>    impractical for stubs.
>    A second area where use of straight DNSSEC public key based
>    mechanisms may be impractical is authenticating dynamic update
>    [RFC2136] requests.  DNSSEC provides for request signatures but with
>    DNSSEC they, like transaction signatures, require computationally
>    expensive public key cryptography and complex authentication logic.
>    Secure Domain Name System Dynamic Update ([RFC3007]) describes how
>    different keys are used in dynamically updated zones.
> 12.  References
> 12.1.  Normative References
>    [FIPS180-4]
>               National Institute of Standards and Technology, "Secure
>               Hash Standard (SHS)", FIPS PUB 180-4, August 2015.
>    [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
>               STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
>               <https://www.rfc-editor.org/info/rfc1034>.
>    [RFC1035]  Mockapetris, P., "Domain names - implementation and
>               specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
>               November 1987, <https://www.rfc-editor.org/info/rfc1035>.
>    [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
>               Requirement Levels", BCP 14, RFC 2119,
>               DOI 10.17487/RFC2119, March 1997,
>               <https://www.rfc-editor.org/info/rfc2119>.
>    [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
>               Wellington, "Secret Key Transaction Authentication for DNS
>               (TSIG)", RFC 2845, DOI 10.17487/RFC2845, May 2000,
>               <https://www.rfc-editor.org/info/rfc2845>.
> Dupont & Morris            Expires May 3, 2018                 [Page 19]
> Internet-Draft                  DNS TSIG                    October 2017
>    [RFC4635]  Eastlake 3rd, D., "HMAC SHA (Hashed Message Authentication
>               Code, Secure Hash Algorithm) TSIG Algorithm Identifiers",
>               RFC 4635, DOI 10.17487/RFC4635, August 2006,
>               <https://www.rfc-editor.org/info/rfc4635>.
>    [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
>               2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
>               May 2017, <https://www.rfc-editor.org/info/rfc8174>.
> 12.2.  Informative References

Please cite Synacktiv paper on vulnerability in RFC 2845 here.