The following errata report has been submitted for RFC8945,
"Secret Key Transaction Authentication for DNS (TSIG)"

--------------------------------------
You may review the report below and at:
https://errata.rfc-editor.org/eid9014/

--------------------------------------
Type: Technical
Reported by: Ondřej Surý <[email protected]>

Section 5.4 says:

Original Text
-------------
Instead, the client SHOULD log an error and continue to wait for a signed 
response until the request times out.

Corrected Text
--------------
Instead, the client SHOULD log an error and MUST regard the message as corrupt 
and discard it.

Notes
-----
The previous sentence says that the response might have been spoofed or 
manipulated.

> Regardless of the RCODE, a message containing a TSIG RR that is unsigned as 
> specified in Section 5.3.2 or that fails verification SHOULD NOT be 
> considered an acceptable response, as it may have been spoofed or manipulated.

If the connection between client and server is under attack than waiting for 
more spoofed or manipulated responses is the worst thing that the client can do 
is to wait for more spoofed responses to come.

There are basically two scenarios:
- off-path attacker guessed port+id -> and we certainly don't want to wait for 
more spoofed responses to come
- on-path attacker -> all is lost anyway, waiting will not help

Instructions:
-------------
This erratum is currently posted as "Reported". Please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
will log in to change the status and edit the report, if necessary.

--------------------------------------
RFC8945 (draft-ietf-dnsop-rfc2845bis)
--------------------------------------
Title               : Secret Key Transaction Authentication for DNS (TSIG)
Publication Date    : November 2020
Author(s)           : F. Dupont, S. Morris, P. Vixie, D. Eastlake 3rd, O. 
Gudmundsson, B. Wellington
Category            : Internet Standard
Source              : dnsop (ops)
Stream              : IETF
Verifying Party     : IESG

_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to