The following errata report has been rejected for RFC8945, "Secret Key Transaction Authentication for DNS (TSIG)"
-------------------------------------- You may review the report below and at: https://errata.rfc-editor.org/eid9014/ -------------------------------------- Status: Rejected Type: Technical Reported by: Ondřej Surý <[email protected]> Date Reported: June 24, 2026, 7:49 a.m. Rejected by: Mohamed Boucadair (IESG) Section 5.4 says: Original Text ------------- Instead, the client SHOULD log an error and continue to wait for a signed response until the request times out. Corrected Text -------------- Instead, the client SHOULD log an error and MUST regard the message as corrupt and discard it. Notes ----- The previous sentence says that the response might have been spoofed or manipulated. > Regardless of the RCODE, a message containing a TSIG RR that is unsigned as > specified in Section 5.3.2 or that fails verification SHOULD NOT be > considered an acceptable response, as it may have been spoofed or manipulated. If the connection between client and server is under attack than waiting for more spoofed or manipulated responses is the worst thing that the client can do is to wait for more spoofed responses to come. There are basically two scenarios: - off-path attacker guessed port+id -> and we certainly don't want to wait for more spoofed responses to come - on-path attacker -> all is lost anyway, waiting will not help -------------------------------------- RFC8945 (draft-ietf-dnsop-rfc2845bis) -------------------------------------- Title : Secret Key Transaction Authentication for DNS (TSIG) Publication Date : November 2020 Author(s) : F. Dupont, S. Morris, P. Vixie, D. Eastlake 3rd, O. Gudmundsson, B. Wellington Category : Internet Standard Source : dnsop (ops) Stream : IETF _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
