From nobody Fri Mar 23 08:25:11 2018 Return-Path: X-Original-To: dnsext@ietfa.amsl.com Delivered-To: dnsext@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E319D126DFB for ; Fri, 23 Mar 2018 08:25:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Iz7rwwqwD-iO for ; Fri, 23 Mar 2018 08:25:07 -0700 (PDT) Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12EEE120227 for ; Fri, 23 Mar 2018 08:25:07 -0700 (PDT) Received: by rfc-editor.org (Postfix, from userid 30) id 94C77B82ED3; Fri, 23 Mar 2018 08:24:54 -0700 (PDT) To: scott.rose@nist.gov, wouter@nlnetlabs.nl, suresh@kaloom.com, terry.manderson@icann.org, ogud@ogud.com, ajs@anvilwalrusden.com X-PHP-Originating-Script: 30:errata_mail_lib.php From: RFC Errata System Cc: pieter.lexis@powerdns.com, dnsext@ietf.org, rfc-editor@rfc-editor.org Content-Type: text/plain; charset=UTF-8 Message-Id: <20180323152454.94C77B82ED3@rfc-editor.org> Date: Fri, 23 Mar 2018 08:24:54 -0700 (PDT) Archived-At: Subject: [dnsext] [Editorial Errata Reported] RFC6672 (5297) X-BeenThere: dnsext@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DNS Extensions working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2018 15:25:09 -0000 The following errata report has been submitted for RFC6672, "DNAME Redirection in the DNS". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata/eid5297 -------------------------------------- Type: Editorial Reported by: Pieter Lexis Section: 5.3.4.1 Original Text ------------- ;; Header: QR AA RCODE=3(NXDOMAIN) ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; Question foo.bar.example.com. IN A ;; Authority bar.example.com. NSEC dub.example.com. A DNAME bar.example.com. RRSIG NSEC [valid signature] Corrected Text -------------- ;; Header: QR AA RCODE=3(NXDOMAIN) ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; Question foo.bar.example.com. IN A ;; Authority bar.example.com. NSEC dub.example.com. A DNAME RRSIG NSEC bar.example.com. RRSIG NSEC [valid signature] Notes ----- The NSEC record in the original text would in no case be valid as it denies it's own existence and the existence of the RRSIG, while the text indicates that " the validator can see that it is a BOGUS reply from an attacker that collated existing records from the DNS to create a confusing reply". This indicates that NSEC and RRSIG should be set in the NSEC bitmap Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC6672 (draft-ietf-dnsext-rfc2672bis-dname-26) -------------------------------------- Title : DNAME Redirection in the DNS Publication Date : June 2012 Author(s) : S. Rose, W. Wijngaards Category : PROPOSED STANDARD Source : DNS Extensions Area : Internet Stream : IETF Verifying Party : IESG From nobody Fri Mar 23 08:25:49 2018 Return-Path: X-Original-To: dnsext@ietfa.amsl.com Delivered-To: dnsext@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6F97120227 for ; Fri, 23 Mar 2018 08:25:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BOofHDTBWgob for ; Fri, 23 Mar 2018 08:25:47 -0700 (PDT) Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F1A01200C5 for ; Fri, 23 Mar 2018 08:25:43 -0700 (PDT) Received: by rfc-editor.org (Postfix, from userid 30) id 3312CB82EE2; Fri, 23 Mar 2018 08:25:31 -0700 (PDT) To: scott.rose@nist.gov, wouter@nlnetlabs.nl, suresh@kaloom.com, terry.manderson@icann.org, ogud@ogud.com, ajs@anvilwalrusden.com X-PHP-Originating-Script: 30:errata_mail_lib.php From: RFC Errata System Cc: pieter.lexis@powerdns.com, dnsext@ietf.org, rfc-editor@rfc-editor.org Content-Type: text/plain; charset=UTF-8 Message-Id: <20180323152531.3312CB82EE2@rfc-editor.org> Date: Fri, 23 Mar 2018 08:25:31 -0700 (PDT) Archived-At: Subject: [dnsext] [Editorial Errata Reported] RFC6672 (5298) X-BeenThere: dnsext@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DNS Extensions working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2018 15:25:49 -0000 The following errata report has been submitted for RFC6672, "DNAME Redirection in the DNS". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata/eid5298 -------------------------------------- Type: Editorial Reported by: Pieter Lexis Section: 5.3.4.2 Original Text ------------- ;; Header: QR AA RCODE=3(NXDOMAIN) ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; Question cee.example.com. IN A ;; Authority bar.example.com. NSEC dub.example.com. A DNAME bar.example.com. RRSIG NSEC [valid signature] Corrected Text -------------- ;; Header: QR AA RCODE=3(NXDOMAIN) ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; Question cee.example.com. IN A ;; Authority bar.example.com. NSEC dub.example.com. A DNAME RRSIG NSEC bar.example.com. RRSIG NSEC [valid signature] Notes ----- The NSEC record in the original text would in no case be valid as it denies it's own existence and the existence of the RRSIG, while the text indicates that " the validator can see that it is a BOGUS reply from an attacker that collated existing records from the DNS to create a confusing reply". This indicates that NSEC and RRSIG should be set in the NSEC bitmap Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC6672 (draft-ietf-dnsext-rfc2672bis-dname-26) -------------------------------------- Title : DNAME Redirection in the DNS Publication Date : June 2012 Author(s) : S. Rose, W. Wijngaards Category : PROPOSED STANDARD Source : DNS Extensions Area : Internet Stream : IETF Verifying Party : IESG From nobody Fri Mar 23 08:28:16 2018 Return-Path: X-Original-To: dnsext@ietfa.amsl.com Delivered-To: dnsext@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 794B9126DFB for ; Fri, 23 Mar 2018 08:28:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.579 X-Spam-Level: X-Spam-Status: No, score=-1.579 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZLKf6SlgdSR3 for ; Fri, 23 Mar 2018 08:28:13 -0700 (PDT) Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7FF71200C5 for ; Fri, 23 Mar 2018 08:28:12 -0700 (PDT) Received: by mail-wm0-x235.google.com with SMTP id h76so4282661wme.4 for ; Fri, 23 Mar 2018 08:28:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:cc :content-transfer-encoding; bh=/P0e/YDwBCaltvZOCnUxYHCQiv+qWAmnzbTDY2Flm5I=; b=AHtDvjy3JR69fywT3e12EaDZLK6DkCyYj1nh0V4M4rvgj34LdlKJ4gc2HkQj4+Xeli qpHOa5zHN9TIR3Gr1K8x8y420F4uaORzZZjeVnDnWiIf+x5YDgSKSUeAbBp6Zui5rNYB AvCa9F6vAZpyKTo05AZGKq8ejLdWgH7ckOqVDSCcfhQqa0hZUDQLEo8Ik2F734+3xN/e IHtt6B+hQq+HJYf9y8qlRV6hVNSKz0BB1byfa1a8LXmYrwxyN/dLgwQaC7PsLj6BqVOn 9J9K4PpVzazwtNWfkWGWbRqrwJ/RmV9h6vUiwLWXLX7awB6shC3wIaKmbLfnme7OroKt jx8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:cc:content-transfer-encoding; bh=/P0e/YDwBCaltvZOCnUxYHCQiv+qWAmnzbTDY2Flm5I=; b=Kh7DoPqLCIEj2XYAnFQCFaNkNvxGlbEraVdIiatrj+zsVnQ1CGTAo/Ti1s1+wZUr/l e+rcKFqyI7azijBAoNgr+eV492vXHDTisTe4MZQQ2QCvLzMfdgQGsQLmC4Ap8LUfC0dF yqj2CHK/WkvmVmI41TfcjHJ51bC/2EjgnMS261rL/xeU3rKx+gIAsjySvMMSMGcyP/mP 6sCuoj+6sJmvc1QUP4/dFDjmaKLSWcgk/+SIACYRi0HxgDWy+hNNdZSW5LFdCabcmYUd qG2dsNHHS9PRyH7h6axTFKv9/OGcv1pcO4dZ3ezbsKjQ8GQzI0tamO26ot5+ogawIiFr eucQ== X-Gm-Message-State: AElRT7FdUqe7/geg3QVzKh0hVNDrPcSR0aVqKFJLW17gReCeaGqF80Ib FmqwlEz2etraqtNdDe6brL4vz41MOCxmJon48UNYMB3W X-Received: by 10.28.55.4 with SMTP id e4mt9274157wma.7.1521818890801; Fri, 23 Mar 2018 08:28:10 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.226.76 with HTTP; Fri, 23 Mar 2018 08:27:30 -0700 (PDT) In-Reply-To: <20180323152454.94C77B82ED3@rfc-editor.org> References: <20180323152454.94C77B82ED3@rfc-editor.org> From: Warren Kumari Date: Fri, 23 Mar 2018 15:27:30 +0000 Message-ID: Cc: "Rose, Scott" , "W.C.A. Wijngaards" , Suresh Krishnan , Terry Manderson , Olafur Gudmundsson , Andrew Sullivan , dnsext@ietf.org, Pieter Lexis Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [dnsext] [Editorial Errata Reported] RFC6672 (5297) X-BeenThere: dnsext@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DNS Extensions working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2018 15:28:14 -0000 [ - RFC Editor for clutter ] This *seems* correct to me, but my brain turned into jelly much earlier in the week -- anyone disagree with the errata? W On Fri, Mar 23, 2018 at 3:24 PM, RFC Errata System wrote: > The following errata report has been submitted for RFC6672, > "DNAME Redirection in the DNS". > > -------------------------------------- > You may review the report below and at: > http://www.rfc-editor.org/errata/eid5297 > > -------------------------------------- > Type: Editorial > Reported by: Pieter Lexis > > Section: 5.3.4.1 > > Original Text > ------------- > ;; Header: QR AA RCODE=3D3(NXDOMAIN) > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > > ;; Question > foo.bar.example.com. IN A > ;; Authority > bar.example.com. NSEC dub.example.com. A DNAME > bar.example.com. RRSIG NSEC [valid signature] > > Corrected Text > -------------- > ;; Header: QR AA RCODE=3D3(NXDOMAIN) > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > > ;; Question > foo.bar.example.com. IN A > ;; Authority > bar.example.com. NSEC dub.example.com. A DNAME RRSIG NSEC > bar.example.com. RRSIG NSEC [valid signature] > > Notes > ----- > The NSEC record in the original text would in no case be valid as it deni= es it's own existence and the existence of the RRSIG, while the text indica= tes that " the validator can see that it is a BOGUS reply from an attacker= that collated existing records from the DNS to create a confusing reply". = This indicates that NSEC and RRSIG should be set in the NSEC bitmap > > Instructions: > ------------- > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC6672 (draft-ietf-dnsext-rfc2672bis-dname-26) > -------------------------------------- > Title : DNAME Redirection in the DNS > Publication Date : June 2012 > Author(s) : S. Rose, W. Wijngaards > Category : PROPOSED STANDARD > Source : DNS Extensions > Area : Internet > Stream : IETF > Verifying Party : IESG > > _______________________________________________ > dnsext mailing list > dnsext@ietf.org > https://www.ietf.org/mailman/listinfo/dnsext --=20 I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf From nobody Fri Mar 23 08:43:48 2018 Return-Path: X-Original-To: dnsext@ietfa.amsl.com Delivered-To: dnsext@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C4FC12D87E for ; Fri, 23 Mar 2018 08:43:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.01 X-Spam-Level: X-Spam-Status: No, score=-7.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl header.b=bSfrcPSQ; dkim=pass (1024-bit key) header.d=nlnetlabs.nl header.b=LjSDQVe9 Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8sYChx6HSKAr for ; Fri, 23 Mar 2018 08:43:45 -0700 (PDT) Received: from dicht.nlnetlabs.nl (open.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 340F6120227 for ; Fri, 23 Mar 2018 08:43:45 -0700 (PDT) Received: by dicht.nlnetlabs.nl (Postfix, from userid 58) id 2C4258ACA; Fri, 23 Mar 2018 16:43:43 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1521819823; bh=r/U7KZKHkvWhyZnAf3G+8sy8R8s738IBZnOfw3/p8to=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=bSfrcPSQ8aYms/q3Hl4mVSsLebWT0FvZvJY3WrqwfKvwWgAb5zsEoabETu3/hNdNK DUqrmJsrg3a8uQB/wcMSKaBb/3Ht2fJqAkSOevLcUVMs+4QFRdpLv8V4eUvVf6olai rB03xF+tzZ8OkvFU1xQmeSU1h1fy8cz1jQkcsFMg= Received: from vylkir.localdomain (ip565b0030.direct-adsl.nl [86.91.0.48]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id A52B78ABA; Fri, 23 Mar 2018 16:43:41 +0100 (CET) Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=nlnetlabs.nl DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1521819822; bh=r/U7KZKHkvWhyZnAf3G+8sy8R8s738IBZnOfw3/p8to=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=LjSDQVe9SqiJJe1Y1KeRKp/XTOaPQVPcZ1H/rJH7sXqAjz0zQq6gxUq0qOD1f7/2Q LdOuTrgsyiHr4Ml++yPVvlYgmV2n4EtlchN2gQkq1rRyZMqBgkwhnS4523Q02xenGo +vGoqNbZJDTxKzYNm45ITHcLugGPpFC9W5I+7ZUI= To: Warren Kumari Cc: "Rose, Scott" , Suresh Krishnan , Terry Manderson , Olafur Gudmundsson , Andrew Sullivan , dnsext@ietf.org, Pieter Lexis References: <20180323152454.94C77B82ED3@rfc-editor.org> From: "W.C.A. Wijngaards" Message-ID: <7e4b1f83-1da0-96b4-856e-804b8a3cf367@nlnetlabs.nl> Date: Fri, 23 Mar 2018 16:43:35 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="MKkIdRvDlItXlbOj5IZYATwWROvSP2bLw" Archived-At: Subject: Re: [dnsext] [Editorial Errata Reported] RFC6672 (5297) X-BeenThere: dnsext@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DNS Extensions working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2018 15:43:48 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --MKkIdRvDlItXlbOj5IZYATwWROvSP2bLw Content-Type: multipart/mixed; boundary="7AjaXvMsofuM93hLMCzVsTZbmyOBav1rB"; protected-headers="v1" From: "W.C.A. Wijngaards" To: Warren Kumari Cc: "Rose, Scott" , Suresh Krishnan , Terry Manderson , Olafur Gudmundsson , Andrew Sullivan , dnsext@ietf.org, Pieter Lexis Message-ID: <7e4b1f83-1da0-96b4-856e-804b8a3cf367@nlnetlabs.nl> Subject: Re: [dnsext] [Editorial Errata Reported] RFC6672 (5297) References: <20180323152454.94C77B82ED3@rfc-editor.org> In-Reply-To: --7AjaXvMsofuM93hLMCzVsTZbmyOBav1rB Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Hi, Seems fine to me too. Also Pieter's (5298) which is also about missing out on the NSEC and RRSIG bits. They aren't actually the focus, which is why no-one missed them I guess (together with all the omitted RRSIG fields?), but adding NSEC and RRSIG bits is correct for a signed zone. Best regards, Wouter On 23/03/18 16:27, Warren Kumari wrote: > [ - RFC Editor for clutter ] >=20 > This *seems* correct to me, but my brain turned into jelly much > earlier in the week -- anyone disagree with the errata? >=20 > W >=20 > On Fri, Mar 23, 2018 at 3:24 PM, RFC Errata System > wrote: >> The following errata report has been submitted for RFC6672, >> "DNAME Redirection in the DNS". >> >> -------------------------------------- >> You may review the report below and at: >> http://www.rfc-editor.org/errata/eid5297 >> >> -------------------------------------- >> Type: Editorial >> Reported by: Pieter Lexis >> >> Section: 5.3.4.1 >> >> Original Text >> ------------- >> ;; Header: QR AA RCODE=3D3(NXDOMAIN) >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags: do; udp: 4096 >> >> ;; Question >> foo.bar.example.com. IN A >> ;; Authority >> bar.example.com. NSEC dub.example.com. A DNAME >> bar.example.com. RRSIG NSEC [valid signature] >> >> Corrected Text >> -------------- >> ;; Header: QR AA RCODE=3D3(NXDOMAIN) >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags: do; udp: 4096 >> >> ;; Question >> foo.bar.example.com. IN A >> ;; Authority >> bar.example.com. NSEC dub.example.com. A DNAME RRSIG NSEC >> bar.example.com. RRSIG NSEC [valid signature] >> >> Notes >> ----- >> The NSEC record in the original text would in no case be valid as it d= enies it's own existence and the existence of the RRSIG, while the text i= ndicates that " the validator can see that it is a BOGUS reply from an a= ttacker that collated existing records from the DNS to create a confusing= reply". This indicates that NSEC and RRSIG should be set in the NSEC bit= map >> >> Instructions: >> ------------- >> This erratum is currently posted as "Reported". If necessary, please >> use "Reply All" to discuss whether it should be verified or >> rejected. When a decision is reached, the verifying party >> can log in to change the status and edit the report, if necessary. >> >> -------------------------------------- >> RFC6672 (draft-ietf-dnsext-rfc2672bis-dname-26) >> -------------------------------------- >> Title : DNAME Redirection in the DNS >> Publication Date : June 2012 >> Author(s) : S. Rose, W. Wijngaards >> Category : PROPOSED STANDARD >> Source : DNS Extensions >> Area : Internet >> Stream : IETF >> Verifying Party : IESG >> >> _______________________________________________ >> dnsext mailing list >> dnsext@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsext >=20 >=20 >=20 --7AjaXvMsofuM93hLMCzVsTZbmyOBav1rB-- --MKkIdRvDlItXlbOj5IZYATwWROvSP2bLw Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAlq1IKcACgkQn28cLX4E X41yIQ//Q4dX4zqJqGP2JaEXF2YIzbydM/73vympWPTqjTeo0RtlwFXKAT+cDoPA hmbWIhOwWTv3PiAOv5DN6zpxvo9v7TkaW1QJdjV6ozjVCsdyi6W3BeBjt7zDRIXe +98DEG6wlq5wEmLE9KOM9N9EPcFiu/ng2jQsy6/OA30PV24Ymq4st3+ESbY/2yIU xjudony2BpePPmqoIwfXMELRAoBZeS+APoCA3ZXZ7sLVUNyvFWp4zc4N/MMxsK4j 4jFnaElcd6Hzkv0lI5d/0t0YSo3IYGJoH4yxRNZROsIkO3kdefzavwidzZI1hnLz R7NeZqaviq+zbuOOoKrNNiYZhBf3Vc3krD6nL8Z7zZXhvOt6rODh7tvNF6JhAYDU hpS6EaxCMy9ntwJlajaMENqxYPSrBx+NTeKSec5v9k6EqVBVfIznd9mArJpGv8bD SAbsCyu/r57QeUtPF6hi8YKFmX/eT495hMVYRb+8io2ZhXfk9sgoIvKOE1hzILIb O5WwYO/AtOYgT07LDoWaNLOf3sj5SYhzjkxdv9+AvF4NXZ0rl0TF809UJac+/R+B T/3VGk8mtOytISJdlu6oV7TE3qEX1AzruLOyK49YQL8MNEl+d9ejw1G8W0gqZHLm 20jX2CaO8ZbWF56LAg3n9tamF+7X/9s6BijRd7jUlKy8RRZcA8o= =ZhKn -----END PGP SIGNATURE----- --MKkIdRvDlItXlbOj5IZYATwWROvSP2bLw-- From nobody Fri Mar 23 10:50:03 2018 Return-Path: X-Original-To: dnsext@ietfa.amsl.com Delivered-To: dnsext@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9008112DA12 for ; Fri, 23 Mar 2018 10:50:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.209 X-Spam-Level: X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e6GXIH5damk1 for ; Fri, 23 Mar 2018 10:49:58 -0700 (PDT) Received: from wsget2.nist.gov (wsget2.nist.gov [IPv6:2610:20:6005:13::151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BFFD124B17 for ; Fri, 23 Mar 2018 10:49:58 -0700 (PDT) Received: from WSGHUB1.xchange.nist.gov (129.6.42.34) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.3.389.1; Fri, 23 Mar 2018 13:49:45 -0400 Received: from postmark.nist.gov (129.6.16.94) by mail-g.nist.gov (129.6.42.33) with Microsoft SMTP Server id 14.3.389.1; Fri, 23 Mar 2018 13:49:54 -0400 Received: from [129.6.140.7] (7-140.antd.nist.gov [129.6.140.7]) by postmark.nist.gov (8.13.8/8.13.1) with ESMTP id w2NHnVbm032257; Fri, 23 Mar 2018 13:49:32 -0400 From: "Rose, Scott" To: "W.C.A. Wijngaards" CC: Warren Kumari , Suresh Krishnan , Terry Manderson , Olafur Gudmundsson , Andrew Sullivan , , Pieter Lexis Date: Fri, 23 Mar 2018 13:49:31 -0400 X-Mailer: MailMate (1.11r5462) Message-ID: <382D058C-B2F4-400F-A5E1-7454FD1BC1CF@nist.gov> In-Reply-To: <7e4b1f83-1da0-96b4-856e-804b8a3cf367@nlnetlabs.nl> References: <20180323152454.94C77B82ED3@rfc-editor.org> <7e4b1f83-1da0-96b4-856e-804b8a3cf367@nlnetlabs.nl> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_MailMate_0FAC90A0-2DFB-4A6B-9D8E-779E8AD7E971_=" X-NIST-MailScanner-Information: Archived-At: Subject: Re: [dnsext] [Editorial Errata Reported] RFC6672 (5297) X-BeenThere: dnsext@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DNS Extensions working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2018 17:50:02 -0000 --=_MailMate_0FAC90A0-2DFB-4A6B-9D8E-779E8AD7E971_= Content-Type: text/plain; format=flowed I agree with Wouter. It is technically correct* this way. The same goes with the other errata (5298). They both should be approved, IMHO. Scott *The Best Kind of Correct On 23 Mar 2018, at 11:43, W.C.A. Wijngaards wrote: > Hi, > > Seems fine to me too. Also Pieter's (5298) which is also about > missing > out on the NSEC and RRSIG bits. They aren't actually the focus, which > is why no-one missed them I guess (together with all the omitted RRSIG > fields?), but adding NSEC and RRSIG bits is correct for a signed zone. > > Best regards, Wouter > > On 23/03/18 16:27, Warren Kumari wrote: >> [ - RFC Editor for clutter ] >> >> This *seems* correct to me, but my brain turned into jelly much >> earlier in the week -- anyone disagree with the errata? >> >> W >> >> On Fri, Mar 23, 2018 at 3:24 PM, RFC Errata System >> wrote: >>> The following errata report has been submitted for RFC6672, >>> "DNAME Redirection in the DNS". >>> >>> -------------------------------------- >>> You may review the report below and at: >>> http://www.rfc-editor.org/errata/eid5297 >>> >>> -------------------------------------- >>> Type: Editorial >>> Reported by: Pieter Lexis >>> >>> Section: 5.3.4.1 >>> >>> Original Text >>> ------------- >>> ;; Header: QR AA RCODE=3(NXDOMAIN) >>> ;; OPT PSEUDOSECTION: >>> ; EDNS: version: 0, flags: do; udp: 4096 >>> >>> ;; Question >>> foo.bar.example.com. IN A >>> ;; Authority >>> bar.example.com. NSEC dub.example.com. A DNAME >>> bar.example.com. RRSIG NSEC [valid signature] >>> >>> Corrected Text >>> -------------- >>> ;; Header: QR AA RCODE=3(NXDOMAIN) >>> ;; OPT PSEUDOSECTION: >>> ; EDNS: version: 0, flags: do; udp: 4096 >>> >>> ;; Question >>> foo.bar.example.com. IN A >>> ;; Authority >>> bar.example.com. NSEC dub.example.com. A DNAME RRSIG NSEC >>> bar.example.com. RRSIG NSEC [valid signature] >>> >>> Notes >>> ----- >>> The NSEC record in the original text would in no case be valid as it >>> denies it's own existence and the existence of the RRSIG, while the >>> text indicates that " the validator can see that it is a BOGUS >>> reply from an attacker that collated existing records from the DNS >>> to create a confusing reply". This indicates that NSEC and RRSIG >>> should be set in the NSEC bitmap >>> >>> Instructions: >>> ------------- >>> This erratum is currently posted as "Reported". If necessary, please >>> use "Reply All" to discuss whether it should be verified or >>> rejected. When a decision is reached, the verifying party >>> can log in to change the status and edit the report, if necessary. >>> >>> -------------------------------------- >>> RFC6672 (draft-ietf-dnsext-rfc2672bis-dname-26) >>> -------------------------------------- >>> Title : DNAME Redirection in the DNS >>> Publication Date : June 2012 >>> Author(s) : S. Rose, W. Wijngaards >>> Category : PROPOSED STANDARD >>> Source : DNS Extensions >>> Area : Internet >>> Stream : IETF >>> Verifying Party : IESG >>> >>> _______________________________________________ >>> dnsext mailing list >>> dnsext@ietf.org >>> https://www.ietf.org/mailman/listinfo/dnsext >> >> >> =================================== Scott Rose NIST ITL scott.rose@nist.gov +1-301-975-8439 GV: +1-571-249-3671 =================================== --=_MailMate_0FAC90A0-2DFB-4A6B-9D8E-779E8AD7E971_= Content-Type: text/html Content-Transfer-Encoding: quoted-printable

I agree with Woute= r. It is technically correct* this way. The same goes with the other er= rata (5298). They both should be approved, IMHO.


Scott
*The Best Kind of Correct


On 23 Mar 2018, at 11:43, W.C.A. Wijngaards wrote:

Hi,

Seems fine to me too. Also Pieter's (5298) which is also about missing out on the NSEC and RRSIG bits. They aren't actually the focus, which is why no-one missed them I guess (together with all the omitted RRSIG fields?), but adding NSEC and RRSIG bits is correct for a signed zone.
Best regards, Wouter

On 23/03/18 16:27, Warren Kumari wrote:

[ - RFC Editor for clutter ]

This *seems* correct to me, but my brain turned into jelly much
earlier in the week -- anyone disagree with the errata?

W

On Fri, Mar 23, 2018 at 3:24 PM, RFC Errata System
<rfc-editor@rfc-editor.org> wrote:

The following errata report has been submitte= d for RFC6672,
"DNAME Redirection in the DNS".

--------------------------------------
You may review the report below and at:
http://www.rfc-edito= r.org/errata/eid5297

--------------------------------------
Type: Editorial
Reported by: Pieter Lexis <pieter.lexis@powerdns.com>

Section: 5.3.4.1

Original Text
-------------
;; Header: QR AA RCODE=3D3(NXDOMAIN)
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096

;; Question
foo.bar.example.com. IN A
;; Authority
bar.example.com. NSEC dub.example.com. A DNAME
bar.example.com. RRSIG NSEC [valid signature]

Corrected Text
--------------
;; Header: QR AA RCODE=3D3(NXDOMAIN)
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096

;; Question
foo.bar.example.com. IN A
;; Authority
bar.example.com. NSEC dub.example.com. A DNAME RRSIG NSEC
bar.example.com. RRSIG NSEC [valid signature]

Notes
-----
The NSEC record in the original text would in no case be valid as it deni= es it's own existence and the existence of the RRSIG, while the text indi= cates that " the validator can see that it is a BOGUS reply from an atta= cker that collated existing records from the DNS to create a confusing re= ply". This indicates that NSEC and RRSIG should be set in the NSEC bitmap=

Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party
can log in to change the status and edit the report, if necessary.

--------------------------------------
RFC6672 (draft-ietf-dnsext-rfc2672bis-dname-26)
--------------------------------------
Title : DNAME Redirection in the DNS
Publication Date : June 2012
Author(s) : S. Rose, W. Wijngaards
Category : PROPOSED STANDARD
Source : DNS Extensions
Area : Internet
Stream : IETF
Verifying Party : IESG

_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf= =2Eorg/mailman/listinfo/dnsext



=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D
Scott Rose
NIST ITL
scott.rose@nist.gov
+1-301-975-8439
GV: +1-571-249-3671
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

--=_MailMate_0FAC90A0-2DFB-4A6B-9D8E-779E8AD7E971_=-- From nobody Mon Mar 26 08:32:40 2018 Return-Path: X-Original-To: dnsext@ietfa.amsl.com Delivered-To: dnsext@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76B4E129C51; Mon, 26 Mar 2018 08:32:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.211 X-Spam-Level: X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XaRFOtBNz2NH; Mon, 26 Mar 2018 08:32:37 -0700 (PDT) Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D64FF1277BB; Mon, 26 Mar 2018 08:32:37 -0700 (PDT) Received: by rfc-editor.org (Postfix, from userid 30) id 43BDCB81077; Mon, 26 Mar 2018 08:32:21 -0700 (PDT) To: pieter.lexis@powerdns.com, scott.rose@nist.gov, wouter@nlnetlabs.nl X-PHP-Originating-Script: 30:errata_mail_lib.php From: RFC Errata System Cc: warren@kumari.net, iesg@ietf.org, dnsext@ietf.org, rfc-editor@rfc-editor.org Content-Type: text/plain; charset=UTF-8 Message-Id: <20180326153221.43BDCB81077@rfc-editor.org> Date: Mon, 26 Mar 2018 08:32:21 -0700 (PDT) Archived-At: Subject: [dnsext] [Errata Verified] RFC6672 (5297) X-BeenThere: dnsext@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: DNS Extensions working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2018 15:32:39 -0000 The following errata report has been verified for RFC6672, "DNAME Redirection in the DNS". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata/eid5297 -------------------------------------- Status: Verified Type: Editorial Reported by: Pieter Lexis Date Reported: 2018-03-23 Verified by: Warren Kumari (Ops AD) (IESG) Section: 5.3.4.1 Original Text ------------- ;; Header: QR AA RCODE=3(NXDOMAIN) ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; Question foo.bar.example.com. IN A ;; Authority bar.example.com. NSEC dub.example.com. A DNAME bar.example.com. RRSIG NSEC [valid signature] Corrected Text -------------- ;; Header: QR AA RCODE=3(NXDOMAIN) ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; Question foo.bar.example.com. IN A ;; Authority bar.example.com. NSEC dub.example.com. A DNAME RRSIG NSEC bar.example.com. RRSIG NSEC [valid signature] Notes ----- The NSEC record in the original text would in no case be valid as it denies it's own existence and the existence of the RRSIG, while the text indicates that " the validator can see that it is a BOGUS reply from an attacker that collated existing records from the DNS to create a confusing reply". This indicates that NSEC and RRSIG should be set in the NSEC bitmap. Edit: Thread: https://www.ietf.org/mail-archive/web/dnsext/current/msg13879.html -------------------------------------- RFC6672 (draft-ietf-dnsext-rfc2672bis-dname-26) -------------------------------------- Title : DNAME Redirection in the DNS Publication Date : June 2012 Author(s) : S. Rose, W. Wijngaards Category : PROPOSED STANDARD Source : DNS Extensions Area : Internet Stream : IETF Verifying Party : IESG