From nobody Tue Apr 18 04:12:32 2017 Return-Path: X-Original-To: dnsext@ietfa.amsl.com Delivered-To: dnsext@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACFAA12922E for ; Thu, 13 Apr 2017 09:12:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.202 X-Spam-Level: X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VnCby7uA7Mir for ; Thu, 13 Apr 2017 09:12:14 -0700 (PDT) Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78DCE1294D3 for ; Thu, 13 Apr 2017 09:12:14 -0700 (PDT) Received: by rfc-editor.org (Postfix, from userid 30) id DB84EB80A47; Thu, 13 Apr 2017 09:12:07 -0700 (PDT) To: ben@links.org, geoff-s@panix.com, roy@nominet.org.uk, davidb@verisign.com, suresh.krishnan@ericsson.com, terry.manderson@icann.org, ogud@ogud.com, ajs@anvilwalrusden.com X-PHP-Originating-Script: 30:errata_mail_lib.php From: RFC Errata System Cc: rwfranks@acm.org, dnsext@ietf.org, rfc-editor@rfc-editor.org Content-Type: text/plain; charset=UTF-8 Message-Id: <20170413161207.DB84EB80A47@rfc-editor.org> Date: Thu, 13 Apr 2017 09:12:07 -0700 (PDT) Archived-At: X-Mailman-Approved-At: Tue, 18 Apr 2017 04:12:31 -0700 Subject: [dnsext] [Technical Errata Reported] RFC5155 (4993) X-BeenThere: dnsext@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DNS Extensions working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Apr 2017 16:12:17 -0000 The following errata report has been submitted for RFC5155, "DNS Security (DNSSEC) Hashed Authenticated Denial of Existence". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=5155&eid=4993 -------------------------------------- Type: Technical Reported by: Dick Franks Section: Appendix A Original Text ------------- ; H(example) = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom ; H(a.example) = 35mthgpgcu1qg68fab165klnsnk3dpvl ; H(ai.example) = gjeqe526plbf1g8mklp59enfd789njgi ; H(ns1.example) = 2t7b4g4vsa5smi47k61mv5bv1a22bojr ; H(ns2.example) = q04jkcevqvmu85r014c7dkba38o0ji5r ; H(w.example) = k8udemvp1j2f7eg6jebps17vp3n8i58h ; H(*.w.example) = r53bq7cc2uvmubfu5ocmm6pers9tk9en ; H(x.w.example) = b4um86eghhds6nea196smvmlo4ors995 ; H(y.w.example) = ji6neoaepv8b5o6k4ev33abha8ht9fgc ; H(x.y.w.example) = 2vptu5timamqttgl4luu9kg21e0aor3s ; H(xx.example) = t644ebqk9bibcna874givr6joj62mlhv - ; H(2t7b4g4vsa5smi47k61mv5bv1a22bojr.example) - ; = kohar7mbb8dc2ce8a9qvl8hon4k53uhi example. 3600 IN SOA ns1.example. bugs.x.w.example. 1 3600 300 ( 3600000 3600 ) NS ns1.example. NS ns2.example. MX 1 xx.example. DNSKEY 256 3 7 AwEAAaetidLzsKWUt4swWR8yu0wPHPiUi8LU ( sAD0QPWU+wzt89epO6tHzkMBVDkC7qphQO2h TY4hHn9npWFRw5BYubE= ) DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= ) NSEC3PARAM 1 0 12 aabbccdd:1 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG ) ! 2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. A 192.0.2.127 ! NSEC3 1 1 12 aabbccdd ( 2vptu5timamqttgl4luu9kg21e0aor3s A RRSIG ) 2vptu5timamqttgl4luu9kg21e0aor3s.example. NSEC3 1 1 12 aabbccdd ( 35mthgpgcu1qg68fab165klnsnk3dpvl MX RRSIG ) 35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd ( b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG ) a.example. NS ns1.a.example. NS ns2.a.example. DS 58470 5 1 ( 3079F1593EBAD6DC121E202A8B766A6A4837206C ) ns1.a.example. A 192.0.2.5 ns2.a.example. A 192.0.2.6 ai.example. A 192.0.2.9 HINFO "KLH-10" "ITS" AAAA 2001:db8:0:0:0:0:f00:baa9 b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd ( gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG ) c.example. NS ns1.c.example. NS ns2.c.example. ns1.c.example. A 192.0.2.7 ns2.c.example. A 192.0.2.8 gjeqe526plbf1g8mklp59enfd789njgi.example. NSEC3 1 1 12 aabbccdd ( ji6neoaepv8b5o6k4ev33abha8ht9fgc HINFO A AAAA RRSIG ) ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd ( k8udemvp1j2f7eg6jebps17vp3n8i58h ) k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd ( ! kohar7mbb8dc2ce8a9qvl8hon4k53uhi ) ! kohar7mbb8dc2ce8a9qvl8hon4k53uhi.example. NSEC3 1 1 12 aabbccdd ( ! q04jkcevqvmu85r014c7dkba38o0ji5r A RRSIG ) ns1.example. A 192.0.2.1 ns2.example. A 192.0.2.2 q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd ( r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG ) r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd ( t644ebqk9bibcna874givr6joj62mlhv MX RRSIG ) t644ebqk9bibcna874givr6joj62mlhv.example. NSEC3 1 1 12 aabbccdd ( 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom HINFO A AAAA RRSIG ) *.w.example. MX 1 ai.example. x.w.example. MX 1 xx.example. x.y.w.example. MX 1 xx.example. xx.example. A 192.0.2.10 HINFO "KLH-10" "TOPS-20" AAAA 2001:db8:0:0:0:0:f00:baaa Corrected Text -------------- ; H(example) = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom ; H(a.example) = 35mthgpgcu1qg68fab165klnsnk3dpvl ; H(ai.example) = gjeqe526plbf1g8mklp59enfd789njgi ; H(ns1.example) = 2t7b4g4vsa5smi47k61mv5bv1a22bojr ; H(ns2.example) = q04jkcevqvmu85r014c7dkba38o0ji5r ; H(w.example) = k8udemvp1j2f7eg6jebps17vp3n8i58h ; H(*.w.example) = r53bq7cc2uvmubfu5ocmm6pers9tk9en ; H(x.w.example) = b4um86eghhds6nea196smvmlo4ors995 ; H(y.w.example) = ji6neoaepv8b5o6k4ev33abha8ht9fgc ; H(x.y.w.example) = 2vptu5timamqttgl4luu9kg21e0aor3s ; H(xx.example) = t644ebqk9bibcna874givr6joj62mlhv example. 3600 IN SOA ns1.example. bugs.x.w.example. 1 3600 300 ( 3600000 3600 ) NS ns1.example. NS ns2.example. MX 1 xx.example. DNSKEY 256 3 7 AwEAAaetidLzsKWUt4swWR8yu0wPHPiUi8LU ( sAD0QPWU+wzt89epO6tHzkMBVDkC7qphQO2h TY4hHn9npWFRw5BYubE= ) DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= ) NSEC3PARAM 1 0 12 aabbccdd:1 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG ) ! 2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. NSEC3 1 1 12 aabbccdd ( 2vptu5timamqttgl4luu9kg21e0aor3s A RRSIG ) 2vptu5timamqttgl4luu9kg21e0aor3s.example. NSEC3 1 1 12 aabbccdd ( 35mthgpgcu1qg68fab165klnsnk3dpvl MX RRSIG ) 35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd ( b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG ) a.example. NS ns1.a.example. NS ns2.a.example. DS 58470 5 1 ( 3079F1593EBAD6DC121E202A8B766A6A4837206C ) ns1.a.example. A 192.0.2.5 ns2.a.example. A 192.0.2.6 ai.example. A 192.0.2.9 HINFO "KLH-10" "ITS" AAAA 2001:db8:0:0:0:0:f00:baa9 b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd ( gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG ) c.example. NS ns1.c.example. NS ns2.c.example. ns1.c.example. A 192.0.2.7 ns2.c.example. A 192.0.2.8 gjeqe526plbf1g8mklp59enfd789njgi.example. NSEC3 1 1 12 aabbccdd ( ji6neoaepv8b5o6k4ev33abha8ht9fgc HINFO A AAAA RRSIG ) ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd ( k8udemvp1j2f7eg6jebps17vp3n8i58h ) k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd ( ! q04jkcevqvmu85r014c7dkba38o0ji5r ) ns1.example. A 192.0.2.1 ns2.example. A 192.0.2.2 q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd ( r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG ) r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd ( t644ebqk9bibcna874givr6joj62mlhv MX RRSIG ) t644ebqk9bibcna874givr6joj62mlhv.example. NSEC3 1 1 12 aabbccdd ( 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom HINFO A AAAA RRSIG ) *.w.example. MX 1 ai.example. x.w.example. MX 1 xx.example. x.y.w.example. MX 1 xx.example. xx.example. A 192.0.2.10 HINFO "KLH-10" "TOPS-20" AAAA 2001:db8:0:0:0:0:f00:baaa Notes ----- The obligatory RRSIG records have been omitted for clarity. The zone prior to NSEC3 signing seems to have contained an unexpected 2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. A 192.0.2.127 which was then lovingly included in the NSEC3 chain. The error is readily detectable from the list of hashes of the original owner names. The source zone prior to signing can never contain a hashed name. For completeness, B5 also needs a corresponding amendment, although this does not invalidate the proof presented therein. Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC5155 (draft-ietf-dnsext-nsec3-13) -------------------------------------- Title : DNS Security (DNSSEC) Hashed Authenticated Denial of Existence Publication Date : March 2008 Author(s) : B. Laurie, G. Sisson, R. Arends, D. Blacka Category : PROPOSED STANDARD Source : DNS Extensions Area : Internet Stream : IETF Verifying Party : IESG From nobody Fri Apr 28 06:06:36 2017 Return-Path: X-Original-To: dnsext@ietfa.amsl.com Delivered-To: dnsext@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DED0F13144D for ; Tue, 18 Apr 2017 11:45:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.202 X-Spam-Level: X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9hQXh6DgmjAZ for ; Tue, 18 Apr 2017 11:45:04 -0700 (PDT) Received: from out.west.pexch112.icann.org (pfe112-va-1.pexch112.icann.org [162.216.194.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91BFA130A94 for ; Tue, 18 Apr 2017 11:45:04 -0700 (PDT) Received: from PMBX112-E1-VA-2.pexch112.icann.org (162.216.194.26) by PMBX112-W1-VA-1.pexch112.icann.org (162.216.194.21) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 18 Apr 2017 11:45:01 -0700 Received: from PMBX112-E1-VA-2.pexch112.icann.org ([162.216.194.26]) by PMBX112-E1-VA-2.PEXCH112.ICANN.ORG ([162.216.194.26]) with mapi id 15.00.1178.000; Tue, 18 Apr 2017 11:45:01 -0700 From: Roy Arends To: Ben Laurie , "geoff-s@panix.com" , "Roy Arends" , "davidb@verisign.com" , "suresh.krishnan@ericsson.com" , "Terry Manderson" , Olafur Gud , "ajs@anvilwalrusden.com" CC: "rfc-editor@rfc-editor.org" , "dnsext@ietf.org" Thread-Topic: [Ext] [dnsext] [Technical Errata Reported] RFC5155 (4993) Thread-Index: AQHSuHPixi/yO1mgTk233fIFPh5wmQ== Date: Tue, 18 Apr 2017 18:45:01 +0000 Message-ID: <6D38C6C1-0821-4129-ADE8-76C9F599E87C@icann.org> References: <20170413161207.DB84EB80A47@rfc-editor.org> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [192.0.47.234] Content-Type: text/plain; charset="us-ascii" Content-ID: <99F91246D4FC8746A4BCE4253031E296@pexch112.icann.org> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: X-Mailman-Approved-At: Fri, 28 Apr 2017 06:06:35 -0700 Subject: Re: [dnsext] [Ext] [Technical Errata Reported] RFC5155 (4993) X-BeenThere: dnsext@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DNS Extensions working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Apr 2017 18:45:08 -0000 The erratum is incorrect. The hash value for ns1.example is explicitly used as an owner name for a re= gular record (2t7b4g4vsa5smi47k61mv5bv1a22bojr.example A 192.0.2.127) to sh= ow that a potential collision between the owner names and the hashed space = has no impact. Roy > Forwarded message: >=20 >> From: RFC Errata System >> To: ben@links.org, geoff-s@panix.com, roy@nominet.org.uk, davidb@verisig= n.com, suresh.krishnan@ericsson.com, terry.manderson@icann.org, ogud@ogud.c= om, ajs@anvilwalrusden.com >> Cc: rfc-editor@rfc-editor.org, dnsext@ietf.org >> Subject: [dnsext] [Technical Errata Reported] RFC5155 (4993) >> Date: Thu, 13 Apr 2017 09:12:07 -0700 (PDT) >>=20 >> The following errata report has been submitted for RFC5155, >> "DNS Security (DNSSEC) Hashed Authenticated Denial of Existence". >>=20 >> -------------------------------------- >> You may review the report below and at: >> https://urldefense.proofpoint.com/v2/url?u=3Dhttp-3A__www.rfc-2Deditor.o= rg_errata-5Fsearch.php-3Frfc-3D5155-26eid-3D4993&d=3DDwIBAg&c=3DFmY1u3PJp6w= rcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=3D6rdmyw1VGzYGRLDSg4Nv6YlsOHnMB5FIzSs7DY= irTNA&m=3DgWuOL6YbGLIJ7P7JlR4-OcptwWJsKAI9HfdjdCPIkbQ&s=3DZvqiH08zLZs-opG3e= 6PfrhQu01cR5ADlM68SWCPfyFE&e=3D=20 >> -------------------------------------- >> Type: Technical >> Reported by: Dick Franks >>=20 >> Section: Appendix A >>=20 >> Original Text >> ------------- >> ; H(example) =3D 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom >> ; H(a.example) =3D 35mthgpgcu1qg68fab165klnsnk3dpvl >> ; H(ai.example) =3D gjeqe526plbf1g8mklp59enfd789njgi >> ; H(ns1.example) =3D 2t7b4g4vsa5smi47k61mv5bv1a22bojr >> ; H(ns2.example) =3D q04jkcevqvmu85r014c7dkba38o0ji5r >> ; H(w.example) =3D k8udemvp1j2f7eg6jebps17vp3n8i58h >> ; H(*.w.example) =3D r53bq7cc2uvmubfu5ocmm6pers9tk9en >> ; H(x.w.example) =3D b4um86eghhds6nea196smvmlo4ors995 >> ; H(y.w.example) =3D ji6neoaepv8b5o6k4ev33abha8ht9fgc >> ; H(x.y.w.example) =3D 2vptu5timamqttgl4luu9kg21e0aor3s >> ; H(xx.example) =3D t644ebqk9bibcna874givr6joj62mlhv >> - ; H(2t7b4g4vsa5smi47k61mv5bv1a22bojr.example) >> - ; =3D kohar7mbb8dc2ce8a9qvl8hon4k53uhi >> example. 3600 IN SOA ns1.example. bugs.x.w.example. 1 3600 300 ( >> 3600000 3600 ) >> NS ns1.example. >> NS ns2.example. >> MX 1 xx.example. >> DNSKEY 256 3 7 AwEAAaetidLzsKWUt4swWR8yu0wPHPiUi8LU ( >> sAD0QPWU+wzt89epO6tHzkMBVDkC7qphQO2h >> TY4hHn9npWFRw5BYubE=3D ) >> DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( >> j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 >> AbsUdblMFin8CVF3n4s=3D ) >> NSEC3PARAM 1 0 12 aabbccdd:1 >> 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( >> 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS >> SOA NSEC3PARAM RRSIG ) >> ! 2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. A 192.0.2.127 >> ! NSEC3 1 1 12 aabbccdd ( >> 2vptu5timamqttgl4luu9kg21e0aor3s A RRSIG ) >> 2vptu5timamqttgl4luu9kg21e0aor3s.example. NSEC3 1 1 12 aabbccdd ( >> 35mthgpgcu1qg68fab165klnsnk3dpvl MX RRSIG ) >> 35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd ( >> b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG ) >> a.example. NS ns1.a.example. >> NS ns2.a.example. >> DS 58470 5 1 ( >> 3079F1593EBAD6DC121E202A8B766A6A4837206C ) >> ns1.a.example. A 192.0.2.5 >> ns2.a.example. A 192.0.2.6 >> ai.example. A 192.0.2.9 >> HINFO "KLH-10" "ITS" >> AAAA 2001:db8:0:0:0:0:f00:baa9 >> b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd ( >> gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG ) >> c.example. NS ns1.c.example. >> NS ns2.c.example. >> ns1.c.example. A 192.0.2.7 >> ns2.c.example. A 192.0.2.8 >> gjeqe526plbf1g8mklp59enfd789njgi.example. NSEC3 1 1 12 aabbccdd ( >> ji6neoaepv8b5o6k4ev33abha8ht9fgc HINFO A AAAA >> RRSIG ) >> ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd ( >> k8udemvp1j2f7eg6jebps17vp3n8i58h ) >> k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd ( >> ! kohar7mbb8dc2ce8a9qvl8hon4k53uhi ) >> ! kohar7mbb8dc2ce8a9qvl8hon4k53uhi.example. NSEC3 1 1 12 aabbccdd ( >> ! q04jkcevqvmu85r014c7dkba38o0ji5r A RRSIG ) >> ns1.example. A 192.0.2.1 >> ns2.example. A 192.0.2.2 >> q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd ( >> r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG ) >> r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd ( >> t644ebqk9bibcna874givr6joj62mlhv MX RRSIG ) >> t644ebqk9bibcna874givr6joj62mlhv.example. NSEC3 1 1 12 aabbccdd ( >> 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom HINFO A AAAA >> RRSIG ) >> *.w.example. MX 1 ai.example. >> x.w.example. MX 1 xx.example. >> x.y.w.example. MX 1 xx.example. >> xx.example. A 192.0.2.10 >> HINFO "KLH-10" "TOPS-20" >> AAAA 2001:db8:0:0:0:0:f00:baaa >>=20 >> Corrected Text >> -------------- >> ; H(example) =3D 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom >> ; H(a.example) =3D 35mthgpgcu1qg68fab165klnsnk3dpvl >> ; H(ai.example) =3D gjeqe526plbf1g8mklp59enfd789njgi >> ; H(ns1.example) =3D 2t7b4g4vsa5smi47k61mv5bv1a22bojr >> ; H(ns2.example) =3D q04jkcevqvmu85r014c7dkba38o0ji5r >> ; H(w.example) =3D k8udemvp1j2f7eg6jebps17vp3n8i58h >> ; H(*.w.example) =3D r53bq7cc2uvmubfu5ocmm6pers9tk9en >> ; H(x.w.example) =3D b4um86eghhds6nea196smvmlo4ors995 >> ; H(y.w.example) =3D ji6neoaepv8b5o6k4ev33abha8ht9fgc >> ; H(x.y.w.example) =3D 2vptu5timamqttgl4luu9kg21e0aor3s >> ; H(xx.example) =3D t644ebqk9bibcna874givr6joj62mlhv >> example. 3600 IN SOA ns1.example. bugs.x.w.example. 1 3600 300 ( >> 3600000 3600 ) >> NS ns1.example. >> NS ns2.example. >> MX 1 xx.example. >> DNSKEY 256 3 7 AwEAAaetidLzsKWUt4swWR8yu0wPHPiUi8LU ( >> sAD0QPWU+wzt89epO6tHzkMBVDkC7qphQO2h >> TY4hHn9npWFRw5BYubE=3D ) >> DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( >> j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 >> AbsUdblMFin8CVF3n4s=3D ) >> NSEC3PARAM 1 0 12 aabbccdd:1 >> 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( >> 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS >> SOA NSEC3PARAM RRSIG ) >> ! 2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. NSEC3 1 1 12 aabbccdd ( >> 2vptu5timamqttgl4luu9kg21e0aor3s A RRSIG ) >> 2vptu5timamqttgl4luu9kg21e0aor3s.example. NSEC3 1 1 12 aabbccdd ( >> 35mthgpgcu1qg68fab165klnsnk3dpvl MX RRSIG ) >> 35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd ( >> b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG ) >> a.example. NS ns1.a.example. >> NS ns2.a.example. >> DS 58470 5 1 ( >> 3079F1593EBAD6DC121E202A8B766A6A4837206C ) >> ns1.a.example. A 192.0.2.5 >> ns2.a.example. A 192.0.2.6 >> ai.example. A 192.0.2.9 >> HINFO "KLH-10" "ITS" >> AAAA 2001:db8:0:0:0:0:f00:baa9 >> b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd ( >> gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG ) >> c.example. NS ns1.c.example. >> NS ns2.c.example. >> ns1.c.example. A 192.0.2.7 >> ns2.c.example. A 192.0.2.8 >> gjeqe526plbf1g8mklp59enfd789njgi.example. NSEC3 1 1 12 aabbccdd ( >> ji6neoaepv8b5o6k4ev33abha8ht9fgc HINFO A AAAA >> RRSIG ) >> ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd ( >> k8udemvp1j2f7eg6jebps17vp3n8i58h ) >> k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd ( >> ! q04jkcevqvmu85r014c7dkba38o0ji5r ) >> ns1.example. A 192.0.2.1 >> ns2.example. A 192.0.2.2 >> q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd ( >> r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG ) >> r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd ( >> t644ebqk9bibcna874givr6joj62mlhv MX RRSIG ) >> t644ebqk9bibcna874givr6joj62mlhv.example. NSEC3 1 1 12 aabbccdd ( >> 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom HINFO A AAAA >> RRSIG ) >> *.w.example. MX 1 ai.example. >> x.w.example. MX 1 xx.example. >> x.y.w.example. MX 1 xx.example. >> xx.example. A 192.0.2.10 >> HINFO "KLH-10" "TOPS-20" >> AAAA 2001:db8:0:0:0:0:f00:baaa >>=20 >> Notes >> ----- >> The obligatory RRSIG records have been omitted for clarity. >>=20 >> The zone prior to NSEC3 signing seems to have contained an unexpected >> 2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. A 192.0.2.127 >> which was then lovingly included in the NSEC3 chain. >>=20 >> The error is readily detectable from the list of hashes of the original = owner names. The source zone prior to signing can never contain a hashed na= me. >>=20 >> For completeness, B5 also needs a corresponding amendment, although this= does not invalidate the proof presented therein. >>=20 >> Instructions: >> ------------- >> This erratum is currently posted as "Reported". If necessary, please >> use "Reply All" to discuss whether it should be verified or >> rejected. When a decision is reached, the verifying party >> can log in to change the status and edit the report, if necessary. >>=20 >> -------------------------------------- >> RFC5155 (draft-ietf-dnsext-nsec3-13) >> -------------------------------------- >> Title : DNS Security (DNSSEC) Hashed Authenticated Denial = of Existence >> Publication Date : March 2008 >> Author(s) : B. Laurie, G. Sisson, R. Arends, D. Blacka >> Category : PROPOSED STANDARD >> Source : DNS Extensions >> Area : Internet >> Stream : IETF >> Verifying Party : IESG >>=20 >> _______________________________________________ >> dnsext mailing list >> dnsext@ietf.org >> https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.ietf.org_mail= man_listinfo_dnsext&d=3DDwIBAg&c=3DFmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I= 5cM&r=3D6rdmyw1VGzYGRLDSg4Nv6YlsOHnMB5FIzSs7DYirTNA&m=3DgWuOL6YbGLIJ7P7JlR4= -OcptwWJsKAI9HfdjdCPIkbQ&s=3DgCe8H3gysKA1qcju4jrBo1FTz1g8Plas_y3oeIF3cKE&e= =3D=20 From nobody Fri Apr 28 06:06:56 2017 Return-Path: X-Original-To: dnsext@ietfa.amsl.com Delivered-To: dnsext@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8330120724 for ; Tue, 18 Apr 2017 22:16:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.289 X-Spam-Level: X-Spam-Status: No, score=-4.289 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alex.org.uk Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8MDgAvOMVsw6 for ; Tue, 18 Apr 2017 22:16:55 -0700 (PDT) Received: from mail.avalus.com (mail.avalus.com [IPv6:2001:41c8:10:1dd::10]) by ietfa.amsl.com (Postfix) with ESMTP id 81B66131513 for ; Tue, 18 Apr 2017 22:16:55 -0700 (PDT) Received: by mail.avalus.com (Postfix) with ESMTPSA id 0B5C054F6001; Wed, 19 Apr 2017 06:16:53 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=alex.org.uk; s=mail; t=1492579013; bh=p8OViFWrZy/sZSu0GbotP0d4NxyHVg3Ikt5eZfQKEpk=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=cKAZXNeuq/h4tDOI1moPEJ9Spq0W8fLZ7OTMmCRumdVbR8JmUEV16qnqH0KB6DGap WQQt+dX3nvjHl1W7+etLAQlYSeXpv1sctlfnRqPjHyHJGCNkucfrGFMIzAvG49QR7o VRAltr0e/6KMmiyizAZ33x/LdcQijggmr6n7wvFc= Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Alex Bligh In-Reply-To: <20170413161207.DB84EB80A47@rfc-editor.org> Date: Wed, 19 Apr 2017 07:16:51 +0200 Cc: Alex Bligh , Ben Laurie , geoff-s@panix.com, Roy Arends , David Blacka , suresh.krishnan@ericsson.com, terry.manderson@icann.org, =?utf-8?Q?=C3=93lafur_Gu=C3=B0mundsson_/DNSEXT_chair?= , ajs@anvilwalrusden.com, "dnsext mailing dnsext@ietf.org" Content-Transfer-Encoding: quoted-printable Message-Id: <34C0EC89-BA95-47A0-B5DC-A6800217EB40@alex.org.uk> References: <20170413161207.DB84EB80A47@rfc-editor.org> To: RFC Errata System X-Mailer: Apple Mail (2.3124) Archived-At: X-Mailman-Approved-At: Fri, 28 Apr 2017 06:06:55 -0700 Subject: Re: [dnsext] [Technical Errata Reported] RFC5155 (4993) X-BeenThere: dnsext@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DNS Extensions working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Apr 2017 05:16:57 -0000 > On 13 Apr 2017, at 18:12, RFC Errata System = wrote: >=20 > The zone prior to NSEC3 signing seems to have contained an unexpected > 2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. A 192.0.2.127 > which was then lovingly included in the NSEC3 chain. >=20 > The error is readily detectable from the list of hashes of the = original owner names. The source zone prior to signing can never contain = a hashed name. >=20 The inclusion may or may not be an error, but that statement is = incorrect. The source zone *can* include labels that happen to be the = result of a later hashing (by coincidence) and there was much discussion = at the time as to whether this would cause issues (it doesn't). Of = course it's not likely in practice, but it is possible. It seems to me that whether this is in fact an error depends on whether = the possibility of this is being deliberately illustrated or not; if it = is, then perhaps it might be better to call this out directly. --=20 Alex Bligh