Re: [dnsext] An 5155 inconvenience
Edward Lewis <Ed.Lewis@neustar.biz> Fri, 20 January 2012 15:33 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A20321F862F; Fri, 20 Jan 2012 07:33:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1327073582; bh=xz2DDrWhttTCCm/Es6ySg5aKG0VdPrKTtxgsQlqEgHY=; h=Mime-Version:Message-Id:In-Reply-To:References:Date:To:From:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Transfer-Encoding:Content-Type:Sender; b=Z13i1jgxeabhD3lwh0/dwEQXPcXYpah8g06UQ3MPCekUMq+/JZ/rAEXiSL6R7YOG1 P8ynY/BEDl8iP/lWGZ1KMoC03gOav+gR8TCM9f0N1TTq39dKoVAfiZ9+KCVAUQ4pXK F/97F2JoXrUiySgcAvU675NObEryIHfNSaGaeHOY=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23A0B21F862F for <dnsext@ietfa.amsl.com>; Fri, 20 Jan 2012 07:33:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.689
X-Spam-Level:
X-Spam-Status: No, score=-105.689 tagged_above=-999 required=5 tests=[AWL=0.910, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vSk7E5C6tB-f for <dnsext@ietfa.amsl.com>; Fri, 20 Jan 2012 07:32:59 -0800 (PST)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id 2330A21F85A1 for <dnsext@ietf.org>; Fri, 20 Jan 2012 07:32:59 -0800 (PST)
Received: from nmet-lt60.cis.neustar.com (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id q0KFWuwf014154; Fri, 20 Jan 2012 10:32:57 -0500 (EST) (envelope-from Ed.Lewis@neustar.biz)
Received: from [192.168.129.98] by nmet-lt60.cis.neustar.com (PGP Universal service); Fri, 20 Jan 2012 10:32:57 -0500
X-PGP-Universal: processed; by nmet-lt60.cis.neustar.com on Fri, 20 Jan 2012 10:32:57 -0500
Mime-Version: 1.0
Message-Id: <a06240800cb3f3945a726@[192.168.129.98]>
In-Reply-To: <4F1987CB.9060502@nlnetlabs.nl>
References: <4F197760.5030809@nlnetlabs.nl> <a06240801cb3f29fb11dc@[192.168.129.98]> <4F1987CB.9060502@nlnetlabs.nl>
Date: Fri, 20 Jan 2012 10:32:54 -0500
To: Matthijs Mekking <matthijs@nlnetlabs.nl>
From: Edward Lewis <Ed.Lewis@neustar.biz>
X-Scanned-By: MIMEDefang 2.72 on 10.20.30.4
Cc: Edward Lewis <Ed.Lewis@neustar.biz>, dnsext list <dnsext@ietf.org>
Subject: Re: [dnsext] An 5155 inconvenience
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
Read it as: MUST BE zero for the purposes of "conformance" to RFC 5155. And/but we are open to future updates. At 16:27 +0100 1/20/12, Matthijs Mekking wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >If bit 0-6 must be zero, what's the point of having them available for >assignment? > >Best regards, > Matthijs > >On 01/20/2012 03:30 PM, Edward Lewis wrote: >> My reading of this is - if a validator is built with RFC 5155 in mind >> and it sees an NSEC3 RR with a flag field "other than 0 or 1" the record >> has been created by a signer that conforms to a more modern >> specification, say, RFC 17234. (Or the signer is buggy, etc.) As such, >> the validator is not equipped to deal with the situation and should >> complain somehow instead of proceeding. >> >> At 15:17 +0100 1/20/12, Matthijs Mekking wrote: >> Hi, >> >> Section 8.2 of RFC 5155 states that a validator MUST ignore NSEC3 RRs >> with a Flag fields value other than zero or one. But in the IANA >> Considerations section, bits 0-6 are available for assignment. >> >> Could it be that Section 8.2 actually says that a validator MUST ignore >> bit 0-6 of the NSEC3 Flags field? Do you think this clarification is >> suitable for an errata or as text in dnssec-bis-updates? >> >> Best regards, >> Matthijs >_______________________________________________ >dnsext mailing list >dnsext@ietf.org >https://www.ietf.org/mailman/listinfo/dnsext > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.11 (GNU/Linux) >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > >iQEcBAEBAgAGBQJPGYfKAAoJEA8yVCPsQCW5XzAH/A6SoczYxU1FCMynyQSZPzvT >6nXtA89SYsB1dmEB3QRfVONmhXaRI2Ahzcvc5oqUtiMOXuFCC5Dqtu5TadKsU/+m >tJv6qeUrzeqBBAjl3MmRno8wPfoCbSoQHc+H9jTCOIlDrGPaauiBVowg4zjES9eK >TecyfsSrSfzmGseodp/PAXZf6fJgvFFeDRusdA8gL20P0TUzsyMB+AbvBTdfs3xk >ZkMJx0xWm96rSSVtvx/CwMD4cjyQyMh/2gjHwKQZRbFiyetEgcJf2D+70TmEaPGp >Y+eZ3p9CkbHB422sAk94zkhjffq/DyFjc5IiNuKlDApGuMwbW+c6jtrVGjCvbsk= >=yHM2 >-----END PGP SIGNATURE----- -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 Vote for the word of the day: "Papa"razzi - father that constantly takes photos of the baby Corpureaucracy - The institution of corporate "red tape" _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] An 5155 inconvenience Matthijs Mekking
- Re: [dnsext] An 5155 inconvenience Edward Lewis
- Re: [dnsext] An 5155 inconvenience Matthijs Mekking
- Re: [dnsext] An 5155 inconvenience Edward Lewis
- Re: [dnsext] An 5155 inconvenience Ben Laurie