Re: [dnsext] An 5155 inconvenience
Edward Lewis <Ed.Lewis@neustar.biz> Fri, 20 January 2012 14:40 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D251921F8596; Fri, 20 Jan 2012 06:40:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1327070425; bh=P5QfZ0wxlqz10sy+bZ6x6TFepVr6dlbF3Co+4ehDiUs=; h=Mime-Version:Message-Id:In-Reply-To:References:Date:To:From:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Transfer-Encoding:Content-Type:Sender; b=fTWGk6TJ4MsjGonXdHBTL6iqpaG50cooidkSm+VhA16BIGLjg97t6kIsyQheTSBRA GazzeHHlxkuHcku9FJQwVEoWdhIvTylGi9RcE/FAWrA5xGVZc+vAmkz3clCh2KAQeD mYtLciwZNXcwfJQRFFWcEGnU+OZbFWy8ovYn3Yzs=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B75821F8596 for <dnsext@ietfa.amsl.com>; Fri, 20 Jan 2012 06:40:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.461
X-Spam-Level:
X-Spam-Status: No, score=-105.461 tagged_above=-999 required=5 tests=[AWL=1.138, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XPdIYr7Owre1 for <dnsext@ietfa.amsl.com>; Fri, 20 Jan 2012 06:40:23 -0800 (PST)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id 89D8021F858A for <dnsext@ietf.org>; Fri, 20 Jan 2012 06:40:23 -0800 (PST)
Received: from nmet-lt60.cis.neustar.com (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id q0KEeKCc013648; Fri, 20 Jan 2012 09:40:21 -0500 (EST) (envelope-from Ed.Lewis@neustar.biz)
Received: from [192.168.129.98] by nmet-lt60.cis.neustar.com (PGP Universal service); Fri, 20 Jan 2012 09:40:21 -0500
X-PGP-Universal: processed; by nmet-lt60.cis.neustar.com on Fri, 20 Jan 2012 09:40:21 -0500
Mime-Version: 1.0
Message-Id: <a06240801cb3f29fb11dc@[192.168.129.98]>
In-Reply-To: <4F197760.5030809@nlnetlabs.nl>
References: <4F197760.5030809@nlnetlabs.nl>
Date: Fri, 20 Jan 2012 09:30:16 -0500
To: Matthijs Mekking <matthijs@nlnetlabs.nl>
From: Edward Lewis <Ed.Lewis@neustar.biz>
X-Scanned-By: MIMEDefang 2.72 on 10.20.30.4
Cc: dnsext list <dnsext@ietf.org>
Subject: Re: [dnsext] An 5155 inconvenience
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
My reading of this is - if a validator is built with RFC 5155 in mind and it sees an NSEC3 RR with a flag field "other than 0 or 1" the record has been created by a signer that conforms to a more modern specification, say, RFC 17234. (Or the signer is buggy, etc.) As such, the validator is not equipped to deal with the situation and should complain somehow instead of proceeding. At 15:17 +0100 1/20/12, Matthijs Mekking wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Hi, > >Section 8.2 of RFC 5155 states that a validator MUST ignore NSEC3 RRs >with a Flag fields value other than zero or one. But in the IANA >Considerations section, bits 0-6 are available for assignment. > >Could it be that Section 8.2 actually says that a validator MUST ignore >bit 0-6 of the NSEC3 Flags field? Do you think this clarification is >suitable for an errata or as text in dnssec-bis-updates? > >Best regards, > Matthijs >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.11 (GNU/Linux) >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > >iQEcBAEBAgAGBQJPGXdgAAoJEA8yVCPsQCW5BnQH/0AyeXy2MCilAfb3ZUM7JPZZ >Ya6dYiWnyJo9xN9Y+iCDeKwmgkETT0xOfYyNoHgrN/7fmYsU/F0AERycfaqKkXhD >xXoru5/D2t+YjdlpjsYN7CAIGkkwOcniXp4/vdA+m62fFCiC3Qavcml5P8+mKSoJ >BQkDt9jU0o7Bm+MUu5AL2pzslxeROdODcOjhc/Qy9zg1lLvxCwZCpHwV0GfphFd3 >wcpstycYV7b8UYpWs36CqLgEy3lMKdNVElK7hLUmY03/n5tZ5kOxoGWxhN/Hm9TB >tdQqzOn7hVS8BEn5tkrmdpLskjV4cq9VCAtmhYAWJscGIPhWiyH/iRcjIINqnu0= >=ZXhb >-----END PGP SIGNATURE----- >_______________________________________________ >dnsext mailing list >dnsext@ietf.org >https://www.ietf.org/mailman/listinfo/dnsext -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 Vote for the word of the day: "Papa"razzi - father that constantly takes photos of the baby Corpureaucracy - The institution of corporate "red tape" _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] An 5155 inconvenience Matthijs Mekking
- Re: [dnsext] An 5155 inconvenience Edward Lewis
- Re: [dnsext] An 5155 inconvenience Matthijs Mekking
- Re: [dnsext] An 5155 inconvenience Edward Lewis
- Re: [dnsext] An 5155 inconvenience Ben Laurie