The following errata report has been rejected for RFC8945,
"Secret Key Transaction Authentication for DNS (TSIG)"

--------------------------------------
You may review the report below and at:
https://errata.rfc-editor.org/eid9014/

--------------------------------------

Status: Rejected
Type: Technical
Reported by: Ondřej Surý <[email protected]>
Date Reported: June 24, 2026, 7:49 a.m.
Rejected by: Mohamed Boucadair (IESG)

Section 5.4 says:

Original Text
-------------
Instead, the client SHOULD log an error and continue to wait for a signed 
response until the request times out.

Corrected Text
--------------
Instead, the client SHOULD log an error and MUST regard the message as corrupt 
and discard it.

Notes
-----
The previous sentence says that the response might have been spoofed or 
manipulated.

> Regardless of the RCODE, a message containing a TSIG RR that is unsigned as 
> specified in Section 5.3.2 or that fails verification SHOULD NOT be 
> considered an acceptable response, as it may have been spoofed or manipulated.

If the connection between client and server is under attack than waiting for 
more spoofed or manipulated responses is the worst thing that the client can do 
is to wait for more spoofed responses to come.

There are basically two scenarios:
- off-path attacker guessed port+id -> and we certainly don't want to wait for 
more spoofed responses to come
- on-path attacker -> all is lost anyway, waiting will not help

--------------------------------------
RFC8945 (draft-ietf-dnsop-rfc2845bis)
--------------------------------------
Title               : Secret Key Transaction Authentication for DNS (TSIG)
Publication Date    : November 2020
Author(s)           : F. Dupont, S. Morris, P. Vixie, D. Eastlake 3rd, O. 
Gudmundsson, B. Wellington
Category            : Internet Standard
Source              : dnsop (ops)
Stream              : IETF

_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to