[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC4034 6.2 item 3

To: IETF DNSEXT WG <namedroppers@ops.ietf.org>
Subject: Re: RFC4034 6.2 item 3
From: Olafur Gudmundsson <ogud@ogud.com>
Date: Tue, 13 Mar 2007 15:35:12 -0400
In-reply-to: <040FB311-41B3-4906-8593-F56E26E8C835@NLnetLabs.nl>
References: <040FB311-41B3-4906-8593-F56E26E8C835@NLnetLabs.nl>


This discussion seems to be coming to a conclusion, but to make sure
everyone is in agreement I want to ask people to answer few simple
questions about the general case. The IPSECKEY RR is defined in RFC4025
it is published after RFC3597 which sets the rules for handling of
future RR's.

In the answers below say what you think is the Right thing to do not
what your favorite implementation does.

1. The gateway field in IPSECKEY is a domain name
        1.a: Can it be compressed ?
        1.b: Can its case be changed as the Record passes through the DNS ?
        1.c: Should the DNSSEC domain name canonical rules be applied
             to the name before it is signed/verified ?
        1.d: Please explain your reasoning

2. Explain why different rules should apply to NSEC [RFC3845]
   and/or NSEC3 [RFC-to-be]?

3. what RFC's needs to be clarified?

        Olafur (acting as King Solomon)


At 05:26 10/03/2007, Olaf M. Kolkman wrote:

Dear Colleagues,

We recently discovered an interoperability problem that can be argued
to be a protocol bug or an editing error.

A popular zone signer and its corresponding validator implementation
does not lowercase the next domain name in the RDATA, while
according to RFC4034 section 6.2 item 3 that should be done. The bug
was discovered when NSD was deployed as a one of the servers in an
authoritative server cloud. During the zone transfer NSD 'lowercases
the NSEC RDATA' and starts to hand out different NSEC RDATA then was
used for input.

One could argue that NSEC is listed in item 3 of section 6.2 in 4034
in error: The original NSEC specification (RFC3845) does not contain
rules to make NSEC canonical and therefore the default was to use the
RFC3597 (Unknown RRs) behavior. RFC3597 does not list.

On the other hand one could argue that when the NSEC is a 'carbon
copy' of the NXT RR and therefore RFC3597 behavior should have
applied and not mentioning the requirement to lowercase the dname
before signature creation in RFC3845 was an error. Besides, the
RFC35977 case preservation is (most) relevant for implementations of
DNSSEC validation code but those are also the ones that must have
detailed knowledge of the NSEC RR so IMHO the deviation of 4034 of
3597 should in theory not have caused problems.

One of the argument to lower-case the data before signing is that the
_information_ you want to transport with the NSEC RR is the
_canonical_ ordering in which casing is irrelevant.

There is one practical example, a bit far fetched, where not
lowercasing the dname before signing can hurt you:
Assume two sites that AXFR data between them (AXFR does not guarantee
casing of onwer names to be preserved). Both dynamically generate
NSECs and sign then dynamically. Now we have the case that for one
zone the RRSIGs for the NSECs data generated by one server (which is
exactly the same as for the other, except for the casing) cannot be
used to validate the NSEC RRset of the other.  A bit construed, but
still.

I also understand there is an installed-base argument that weighs
heavily for saying that 4034 is in error:  At this moment there are
implementations that take a different interpretation. I think it is
fair to say that the signer and validator with the largest deployment
base treat the data as case sensitive.

Because of the argument that it is the information in the NSEC that
matters, the protocol geek in me has a slight preference for the
interpretation as in 4034, it is cleaner protocol wise. Practically I
want to have this fixed ASAP and the least disruptive way is to scrap
NSEC from the above mentioned item 3 in 6.2 of 4034 and to have NLnet
Labs patch NSD. It is important that the working group chooses a
position fast.

I leave it to Olafur to judge consensus.

The result should go into draft-ietf-dnsext-dnssec-updates.

--Olaf



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: RFC4034 6.2 item 3
  - From: Sam Weiler <weiler@tislabs.com>
- Re: RFC4034 6.2 item 3
  - From: Andrew Sullivan <andrew@ca.afilias.info>
- Re: RFC4034 6.2 item 3
  - From: Mark Andrews <Mark_Andrews@isc.org>
- Re: RFC4034 6.2 item 3
  - From: Roy Arends <roy@nominet.org.uk>

References:
- RFC4034 6.2 item 3
  - From: "Olaf M. Kolkman" <olaf@NLnetLabs.nl>

Prev by Date: Re: heads up: some practical DNS real life things you might want to know
Next by Date: Re: preserving case vs canonicalisation, was RFC4034 6.2 item 3
Previous by thread: Re: RFC4034 6.2 item 3
Next by thread: Re: RFC4034 6.2 item 3
Index(es):
- Date
- Thread