The following errata report has been submitted for RFC8945, "Secret Key Transaction Authentication for DNS (TSIG)"
-------------------------------------- You may review the report below and at: https://errata.rfc-editor.org/eid9014/ -------------------------------------- Type: Technical Reported by: Ondřej Surý <[email protected]> Section 5.4 says: Original Text ------------- Instead, the client SHOULD log an error and continue to wait for a signed response until the request times out. Corrected Text -------------- Instead, the client SHOULD log an error and MUST regard the message as corrupt and discard it. Notes ----- The previous sentence says that the response might have been spoofed or manipulated. > Regardless of the RCODE, a message containing a TSIG RR that is unsigned as > specified in Section 5.3.2 or that fails verification SHOULD NOT be > considered an acceptable response, as it may have been spoofed or manipulated. If the connection between client and server is under attack than waiting for more spoofed or manipulated responses is the worst thing that the client can do is to wait for more spoofed responses to come. There are basically two scenarios: - off-path attacker guessed port+id -> and we certainly don't want to wait for more spoofed responses to come - on-path attacker -> all is lost anyway, waiting will not help Instructions: ------------- This erratum is currently posted as "Reported". Please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party will log in to change the status and edit the report, if necessary. -------------------------------------- RFC8945 (draft-ietf-dnsop-rfc2845bis) -------------------------------------- Title : Secret Key Transaction Authentication for DNS (TSIG) Publication Date : November 2020 Author(s) : F. Dupont, S. Morris, P. Vixie, D. Eastlake 3rd, O. Gudmundsson, B. Wellington Category : Internet Standard Source : dnsop (ops) Stream : IETF Verifying Party : IESG _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
