Re: [DNSOP] [Technical Errata Reported] RFC6781 (5273)

Megan Ferguson <mferguson@amsl.com> Tue, 06 March 2018 01:45 UTC

Return-Path: <mferguson@amsl.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D53F0126DD9 for <dnsop@ietfa.amsl.com>; Mon, 5 Mar 2018 17:45:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HFnqE7g0SX-T for <dnsop@ietfa.amsl.com>; Mon, 5 Mar 2018 17:45:00 -0800 (PST)
Received: from mail.amsl.com (c8a.amsl.com [4.31.198.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E4F3124217 for <dnsop@ietf.org>; Mon, 5 Mar 2018 17:45:00 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by c8a.amsl.com (Postfix) with ESMTP id C70547161C; Mon, 5 Mar 2018 17:44:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from c8a.amsl.com ([127.0.0.1]) by localhost (c8a.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jgjzco8TKCWV; Mon, 5 Mar 2018 17:44:30 -0800 (PST)
Received: from [10.0.1.2] (cpe-76-168-191-223.socal.res.rr.com [76.168.191.223]) by c8a.amsl.com (Postfix) with ESMTPA id 4EBEF715C3; Mon, 5 Mar 2018 17:44:30 -0800 (PST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Megan Ferguson <mferguson@amsl.com>
In-Reply-To: <269cc9ff-7929-d079-b14b-1d2e941d45d7@centroid.eu>
Date: Mon, 5 Mar 2018 17:45:02 -0800
Cc: Matthijs Mekking <matthijs@pletterpet.nl>, RFC System <rfc-editor@rfc-editor.org>, Benoit Claise <bclaise@cisco.com>, warren@kumari.net, suzworldwide@gmail.com, tjw.ietf@gmail.com, dnsop@ietf.org
Content-Transfer-Encoding: 7bit
Message-Id: <29B381AD-5E99-4AD7-B63E-1730E6628823@amsl.com>
References: <20180303140335.59022B80C97@rfc-editor.org> <fa215576-b631-eaf4-c888-e20eb85b0db3@pletterpet.nl> <269cc9ff-7929-d079-b14b-1d2e941d45d7@centroid.eu>
To: "Peter J. Philipp" <rfceditor@centroid.eu>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/nKWDJr3FC_haKCu3650KB_Li1_Y>
Subject: Re: [DNSOP] [Technical Errata Reported] RFC6781 (5273)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Mar 2018 01:45:02 -0000

Hi Peter and Matthijs,

We have deleted this report as requested by Peter.  
If any further errata apply to Figure 8, please submit another errata report.

Thank you.

RFC Editor/mf

On Mar 5, 2018, at 11:08 AM, Peter J. Philipp <rfceditor@centroid.eu> wrote:

> Hi,
> 
> I sent rfc-editor something on saturday that I wanted to retract this
> errata.  I guess it didn't make it through.  So I want to apologize to
> all for wasting their time.  In discussion on #dns at freenode yesterday
> with a guy named "hawk" it became apparent to me that I was in error.
> 
> Sorry,
> 
> -peter
> 
> 
> On 03/05/18 09:39, Matthijs Mekking wrote:
>> All,
>> 
>> I think this errata is incorrect: For an algorithm rollover it is
>> intended that at the "DNSKEY removal" step, the DNSKEYs are removed
>> from the zone, but the signatures stay. This is to play nicely with
>> conservative validators:
>> 
>>    The conservative approach interprets this section very strictly,
>>    meaning that it expects that every RRset has a valid signature for
>>    every algorithm signaled by the zone apex DNSKEY RRset, including
>>    RRsets in caches.
>> 
>> However, looking into this errata I do think there is an error in
>> Figure 8 in section 4.1.4:
>> 
>> The figure should have the signature of the old KSK, called
>> RRSIG_K_1(DNSKEY) in the "DNSKEY removal" step.
>> 
>> Because a conservative validator may have the DNSKEY RRset cached that
>> includes DNSKEY_K_1, DNSKEY_K_2, DNSKEY_Z_1, and DNSKEY_Z_2.
>> 
>> 
>> Regarding the notes on this errata:
>> 
>>> because:  I just don't think you can sign a zone without the
>>> corresponding ZSK's.
>> 
>> It is certainly possible to sign zones and not publish the
>> corresponding DNSKEY.
>> 
>> Best regards,
>>   Matthijs
>> 
>> 
>> On 03-03-18 15:03, RFC Errata System wrote:
>>> The following errata report has been submitted for RFC6781,
>>> "DNSSEC Operational Practices, Version 2".
>>> 
>>> --------------------------------------
>>> You may review the report below and at:
>>> http://www.rfc-editor.org/errata/eid5273
>>> 
>>> --------------------------------------
>>> Type: Technical
>>> Reported by: Peter J. Philipp <rfceditor@centroid.eu>
>>> 
>>> Section: 4.1.4
>>> 
>>> Original Text
>>> -------------
>>> Figure 8 on page 30.
>>> 
>>> Corrected Text
>>> --------------
>>> The figure should have the second ZSK DNSKEY, called DNSKEY_Z_10 under
>>> DNSKEY removal because SOA_3 is doubly signed.
>>> 
>>> or
>>> 
>>> The figure should not have the second RRSIG for SOA_3 that is derived
>>> from DNSKEY_Z_10.
>>> 
>>> because:  I just don't think you can sign a zone without the
>>> corresponding ZSK's.
>> 
>> 
>> 
>>> 
>>> 
>>> Notes
>>> -----
>>> It looks wrong to me.  A small technicality.  I'll let the authors
>>> decide if it's really wrong.
>>> 
>>> Instructions:
>>> -------------
>>> This erratum is currently posted as "Reported". If necessary, please
>>> use "Reply All" to discuss whether it should be verified or
>>> rejected. When a decision is reached, the verifying party
>>> can log in to change the status and edit the report, if necessary.
>>> 
>>> --------------------------------------
>>> RFC6781 (draft-ietf-dnsop-rfc4641bis-13)
>>> --------------------------------------
>>> Title               : DNSSEC Operational Practices, Version 2
>>> Publication Date    : December 2012
>>> Author(s)           : O. Kolkman, W. Mekking, R. Gieben
>>> Category            : INFORMATIONAL
>>> Source              : Domain Name System Operations
>>> Area                : Operations and Management
>>> Stream              : IETF
>>> Verifying Party     : IESG
>>> 
>>> _______________________________________________
>>> DNSOP mailing list
>>> DNSOP@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dnsop
>>> 
>