RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 5155, "DNS Security (DNSSEC) Hashed Authenticated Denial of Existence", March 2008

Source of RFC: dnsext (int)

Errata ID: 4993

Status: Reported
Type: Technical

Reported By: Dick Franks
Date Reported: 2017-04-13

Section Appendix A says:

  ; H(example)       = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom
  ; H(a.example)     = 35mthgpgcu1qg68fab165klnsnk3dpvl
  ; H(ai.example)    = gjeqe526plbf1g8mklp59enfd789njgi
  ; H(ns1.example)   = 2t7b4g4vsa5smi47k61mv5bv1a22bojr
  ; H(ns2.example)   = q04jkcevqvmu85r014c7dkba38o0ji5r
  ; H(w.example)     = k8udemvp1j2f7eg6jebps17vp3n8i58h
  ; H(*.w.example)   = r53bq7cc2uvmubfu5ocmm6pers9tk9en
  ; H(x.w.example)   = b4um86eghhds6nea196smvmlo4ors995
  ; H(y.w.example)   = ji6neoaepv8b5o6k4ev33abha8ht9fgc
  ; H(x.y.w.example) = 2vptu5timamqttgl4luu9kg21e0aor3s
  ; H(xx.example)    = t644ebqk9bibcna874givr6joj62mlhv
- ; H(2t7b4g4vsa5smi47k61mv5bv1a22bojr.example)
- ;                  = kohar7mbb8dc2ce8a9qvl8hon4k53uhi
  example. 3600  IN SOA  ns1.example. bugs.x.w.example. 1 3600 300 (
                         3600000 3600 )
                 NS      ns1.example.
                 NS      ns2.example.
                 MX      1 xx.example.
                 DNSKEY  256 3 7 AwEAAaetidLzsKWUt4swWR8yu0wPHPiUi8LU (
                         sAD0QPWU+wzt89epO6tHzkMBVDkC7qphQO2h
                         TY4hHn9npWFRw5BYubE= )
                 DNSKEY  257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ (
                         j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9
                         AbsUdblMFin8CVF3n4s= )
                 NSEC3PARAM 1 0 12 aabbccdd:1
  0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd (
                         2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS
                         SOA NSEC3PARAM RRSIG )
! 2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. A 192.0.2.127
!                NSEC3   1 1 12 aabbccdd (
                         2vptu5timamqttgl4luu9kg21e0aor3s A RRSIG )
  2vptu5timamqttgl4luu9kg21e0aor3s.example. NSEC3 1 1 12 aabbccdd (
                         35mthgpgcu1qg68fab165klnsnk3dpvl MX RRSIG )
  35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd (
                         b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
  a.example.     NS      ns1.a.example.
                 NS      ns2.a.example.
                 DS      58470 5 1 (
                         3079F1593EBAD6DC121E202A8B766A6A4837206C )
  ns1.a.example. A       192.0.2.5
  ns2.a.example. A       192.0.2.6
  ai.example.    A       192.0.2.9
                 HINFO   "KLH-10" "ITS"
                 AAAA    2001:db8:0:0:0:0:f00:baa9
  b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd (
                         gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG )
  c.example.     NS      ns1.c.example.
                 NS      ns2.c.example.
  ns1.c.example. A       192.0.2.7
  ns2.c.example. A       192.0.2.8
  gjeqe526plbf1g8mklp59enfd789njgi.example. NSEC3 1 1 12 aabbccdd (
                         ji6neoaepv8b5o6k4ev33abha8ht9fgc HINFO A AAAA
                         RRSIG )
  ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd (
                         k8udemvp1j2f7eg6jebps17vp3n8i58h )
  k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd (
!                        kohar7mbb8dc2ce8a9qvl8hon4k53uhi )
! kohar7mbb8dc2ce8a9qvl8hon4k53uhi.example. NSEC3 1 1 12 aabbccdd (
!                        q04jkcevqvmu85r014c7dkba38o0ji5r A RRSIG )
  ns1.example.   A       192.0.2.1
  ns2.example.   A       192.0.2.2
  q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd (
                         r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG )
  r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd (
                         t644ebqk9bibcna874givr6joj62mlhv MX RRSIG )
  t644ebqk9bibcna874givr6joj62mlhv.example. NSEC3 1 1 12 aabbccdd (
                         0p9mhaveqvm6t7vbl5lop2u3t2rp3tom HINFO A AAAA
                         RRSIG )
  *.w.example.   MX      1 ai.example.
  x.w.example.   MX      1 xx.example.
  x.y.w.example. MX      1 xx.example.
  xx.example.    A       192.0.2.10
                 HINFO   "KLH-10" "TOPS-20"
                 AAAA    2001:db8:0:0:0:0:f00:baaa

It should say:

  ; H(example)       = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom
  ; H(a.example)     = 35mthgpgcu1qg68fab165klnsnk3dpvl
  ; H(ai.example)    = gjeqe526plbf1g8mklp59enfd789njgi
  ; H(ns1.example)   = 2t7b4g4vsa5smi47k61mv5bv1a22bojr
  ; H(ns2.example)   = q04jkcevqvmu85r014c7dkba38o0ji5r
  ; H(w.example)     = k8udemvp1j2f7eg6jebps17vp3n8i58h
  ; H(*.w.example)   = r53bq7cc2uvmubfu5ocmm6pers9tk9en
  ; H(x.w.example)   = b4um86eghhds6nea196smvmlo4ors995
  ; H(y.w.example)   = ji6neoaepv8b5o6k4ev33abha8ht9fgc
  ; H(x.y.w.example) = 2vptu5timamqttgl4luu9kg21e0aor3s
  ; H(xx.example)    = t644ebqk9bibcna874givr6joj62mlhv
  example. 3600  IN SOA  ns1.example. bugs.x.w.example. 1 3600 300 (
                         3600000 3600 )
                 NS      ns1.example.
                 NS      ns2.example.
                 MX      1 xx.example.
                 DNSKEY  256 3 7 AwEAAaetidLzsKWUt4swWR8yu0wPHPiUi8LU (
                         sAD0QPWU+wzt89epO6tHzkMBVDkC7qphQO2h
                         TY4hHn9npWFRw5BYubE= )
                 DNSKEY  257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ (
                         j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9
                         AbsUdblMFin8CVF3n4s= )
                 NSEC3PARAM 1 0 12 aabbccdd:1
  0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd (
                         2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS
                         SOA NSEC3PARAM RRSIG )
! 2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. NSEC3   1 1 12 aabbccdd (
                         2vptu5timamqttgl4luu9kg21e0aor3s A RRSIG )
  2vptu5timamqttgl4luu9kg21e0aor3s.example. NSEC3 1 1 12 aabbccdd (
                         35mthgpgcu1qg68fab165klnsnk3dpvl MX RRSIG )
  35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd (
                         b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
  a.example.     NS      ns1.a.example.
                 NS      ns2.a.example.
                 DS      58470 5 1 (
                         3079F1593EBAD6DC121E202A8B766A6A4837206C )
  ns1.a.example. A       192.0.2.5
  ns2.a.example. A       192.0.2.6
  ai.example.    A       192.0.2.9
                 HINFO   "KLH-10" "ITS"
                 AAAA    2001:db8:0:0:0:0:f00:baa9
  b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd (
                         gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG )
  c.example.     NS      ns1.c.example.
                 NS      ns2.c.example.
  ns1.c.example. A       192.0.2.7
  ns2.c.example. A       192.0.2.8
  gjeqe526plbf1g8mklp59enfd789njgi.example. NSEC3 1 1 12 aabbccdd (
                         ji6neoaepv8b5o6k4ev33abha8ht9fgc HINFO A AAAA
                         RRSIG )
  ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd (
                         k8udemvp1j2f7eg6jebps17vp3n8i58h )
  k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd (
!                        q04jkcevqvmu85r014c7dkba38o0ji5r )
  ns1.example.   A       192.0.2.1
  ns2.example.   A       192.0.2.2
  q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd (
                         r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG )
  r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd (
                         t644ebqk9bibcna874givr6joj62mlhv MX RRSIG )
  t644ebqk9bibcna874givr6joj62mlhv.example. NSEC3 1 1 12 aabbccdd (
                         0p9mhaveqvm6t7vbl5lop2u3t2rp3tom HINFO A AAAA
                         RRSIG )
  *.w.example.   MX      1 ai.example.
  x.w.example.   MX      1 xx.example.
  x.y.w.example. MX      1 xx.example.
  xx.example.    A       192.0.2.10
                 HINFO   "KLH-10" "TOPS-20"
                 AAAA    2001:db8:0:0:0:0:f00:baaa

Notes:

The obligatory RRSIG records have been omitted for clarity.

The zone prior to NSEC3 signing seems to have contained an unexpected
2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. A 192.0.2.127
which was then lovingly included in the NSEC3 chain.

The error is readily detectable from the list of hashes of the original owner names. The source zone prior to signing can never contain a hashed name.

For completeness, B5 also needs a corresponding amendment, although this does not invalidate the proof presented therein.

Report New Errata