RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

Found 2 records.

Status: Verified (2)

RFC 6672, "DNAME Redirection in the DNS", June 2012

Source of RFC: dnsext (int)

Errata ID: 5297
Status: Verified
Type: Editorial
Publication Format(s) : TEXT

Reported By: Pieter Lexis
Date Reported: 2018-03-23
Verifier Name: Warren Kumari (Ops AD)
Date Verified: 2018-03-26

Section 5.3.4.1 says:

   ;; Header: QR AA RCODE=3(NXDOMAIN)
   ;; OPT PSEUDOSECTION:
   ; EDNS: version: 0, flags: do; udp: 4096

   ;; Question
   foo.bar.example.com. IN A
   ;; Authority
   bar.example.com. NSEC dub.example.com. A DNAME 
   bar.example.com. RRSIG NSEC [valid signature]

It should say:

   ;; Header: QR AA RCODE=3(NXDOMAIN)
   ;; OPT PSEUDOSECTION:
   ; EDNS: version: 0, flags: do; udp: 4096

   ;; Question
   foo.bar.example.com. IN A
   ;; Authority
   bar.example.com. NSEC dub.example.com. A DNAME RRSIG NSEC
   bar.example.com. RRSIG NSEC [valid signature]

Notes:

The NSEC record in the original text would in no case be valid as it denies it's own existence and the existence of the RRSIG, while the text indicates that " the validator can see that it is a BOGUS reply from an attacker that collated existing records from the DNS to create a confusing reply". This indicates that NSEC and RRSIG should be set in the NSEC bitmap.

Edit: Thread: https://www.ietf.org/mail-archive/web/dnsext/current/msg13879.html

Errata ID: 5298
Status: Verified
Type: Editorial
Publication Format(s) : TEXT

Reported By: Pieter Lexis
Date Reported: 2018-03-02
Verifier Name: Eric Vyncke
Date Verified: 2023-08-03

Section 5.3.4.2 says:

   ;; Header: QR AA RCODE=3(NXDOMAIN)
   ;; OPT PSEUDOSECTION:
   ; EDNS: version: 0, flags: do; udp: 4096

   ;; Question
   cee.example.com. IN A
   ;; Authority
   bar.example.com. NSEC dub.example.com. A DNAME
   bar.example.com. RRSIG NSEC [valid signature]

It should say:

   ;; Header: QR AA RCODE=3(NXDOMAIN)
   ;; OPT PSEUDOSECTION:
   ; EDNS: version: 0, flags: do; udp: 4096

   ;; Question
   cee.example.com. IN A
   ;; Authority
   bar.example.com. NSEC dub.example.com. A DNAME RRSIG NSEC
   bar.example.com. RRSIG NSEC [valid signature]

Notes:

The NSEC record in the original text would in no case be valid as it denies it's own existence and the existence of the RRSIG, while the text indicates that " the validator can see that it is a BOGUS reply from an attacker that collated existing records from the DNS to create a confusing reply". This indicates that NSEC and RRSIG should be set in the NSEC bitmap

Edit: Thread - https://www.ietf.org/mail-archive/web/dnsext/current/msg13879.html

Report New Errata



Advanced Search