RFC Errata
RFC 6840, "Clarifications and Implementation Notes for DNS Security (DNSSEC)", February 2013
Note: This RFC has been updated by RFC 8749
Source of RFC: dnsext (int)
Errata ID: 8038
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Elias Heftrig
Date Reported: 2024-07-18
Held for Document Update by: Eric Vyncke
Date Held: 2024-08-07
Section 4.2. says:
When validating a response to QTYPE=*, all received RRsets that match QNAME and QCLASS MUST be validated. If any of those RRsets fail validation, the answer is considered Bogus.
It should say:
When validating a response to QTYPE=*, all received RRsets that match QNAME and QCLASS SHOULD be validated. If any of those RRsets fail validation, the answer is considered Bogus.
Notes:
The original text requires validators to invest an unreasonable amount of work to validate the signatures over the RRsets in case there are many such RRsets. The issue was exploited in the construction of CPU resource exhaustion attacks (CVE-2023-50387). For more details see our publication with ACM CCS'24 on the KeyTrap denial of service vulnerabilities.
-- verifier note --
While the concern is valid (and has been addressed by more recent RFC), this erratum does not represent the DNSEXT WG consensus at the time of writing, i.e., it cannot be "verified".
Note that further elaboration is required to clarify the implications of not following the recommendation. We suggest to also update the second sentence along the lines of:
> If any of those RRsets fail validation or the response contains more such RRsets than the validator is willing to process, the answer is considered Bogus.