| draft-ietf-dnsop-extended-error-10.txt | draft-ietf-dnsop-extended-error-11.txt | |||
|---|---|---|---|---|
| Network Working Group W. Kumari | Network Working Group W. Kumari | |||
| Internet-Draft Google | Internet-Draft Google | |||
| Intended status: Standards Track E. Hunt | Intended status: Standards Track E. Hunt | |||
| Expires: March 30, 2020 ISC | Expires: April 2, 2020 ISC | |||
| R. Arends | R. Arends | |||
| ICANN | ICANN | |||
| W. Hardaker | W. Hardaker | |||
| USC/ISI | USC/ISI | |||
| D. Lawrence | D. Lawrence | |||
| Oracle + Dyn | Oracle + Dyn | |||
| September 27, 2019 | September 30, 2019 | |||
| Extended DNS Errors | Extended DNS Errors | |||
| draft-ietf-dnsop-extended-error-10 | draft-ietf-dnsop-extended-error-11 | |||
| Abstract | Abstract | |||
| This document defines an extensible method to return additional | This document defines an extensible method to return additional | |||
| information about the cause of DNS errors. Though created primarily | information about the cause of DNS errors. Though created primarily | |||
| to extend SERVFAIL to provide additional information about the cause | to extend SERVFAIL to provide additional information about the cause | |||
| of DNS and DNSSEC failures, the Extended DNS Errors option defined in | of DNS and DNSSEC failures, the Extended DNS Errors option defined in | |||
| this document allows all response types to contain extended error | this document allows all response types to contain extended error | |||
| information. Extended DNS Error information does not change the | information. Extended DNS Error information does not change the | |||
| processing of RCODEs. | processing of RCODEs. | |||
| skipping to change at page 1, line 43 ¶ | skipping to change at page 1, line 43 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 30, 2020. | This Internet-Draft will expire on April 2, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 36 ¶ | skipping to change at page 2, line 36 ¶ | |||
| 3.4. Extended DNS Error Code 3 - Stale Answer . . . . . . . . 5 | 3.4. Extended DNS Error Code 3 - Stale Answer . . . . . . . . 5 | |||
| 3.5. Extended DNS Error Code 4 - Forged Answer . . . . . . . . 5 | 3.5. Extended DNS Error Code 4 - Forged Answer . . . . . . . . 5 | |||
| 3.6. Extended DNS Error Code 5 - DNSSEC Indeterminate . . . . 6 | 3.6. Extended DNS Error Code 5 - DNSSEC Indeterminate . . . . 6 | |||
| 3.7. Extended DNS Error Code 6 - DNSSEC Bogus . . . . . . . . 6 | 3.7. Extended DNS Error Code 6 - DNSSEC Bogus . . . . . . . . 6 | |||
| 3.8. Extended DNS Error Code 7 - Signature Expired . . . . . . 6 | 3.8. Extended DNS Error Code 7 - Signature Expired . . . . . . 6 | |||
| 3.9. Extended DNS Error Code 8 - Signature Not Yet Valid . . . 6 | 3.9. Extended DNS Error Code 8 - Signature Not Yet Valid . . . 6 | |||
| 3.10. Extended DNS Error Code 9 - DNSKEY Missing . . . . . . . 6 | 3.10. Extended DNS Error Code 9 - DNSKEY Missing . . . . . . . 6 | |||
| 3.11. Extended DNS Error Code 10 - RRSIGs Missing . . . . . . . 6 | 3.11. Extended DNS Error Code 10 - RRSIGs Missing . . . . . . . 6 | |||
| 3.12. Extended DNS Error Code 11 - No Zone Key Bit Set . . . . 6 | 3.12. Extended DNS Error Code 11 - No Zone Key Bit Set . . . . 6 | |||
| 3.13. Extended DNS Error Code 12 - NSEC Missing . . . . . . . . 6 | 3.13. Extended DNS Error Code 12 - NSEC Missing . . . . . . . . 6 | |||
| 3.14. Extended DNS Error Code 13 - Cached Error . . . . . . . . 6 | 3.14. Extended DNS Error Code 13 - Cached Error . . . . . . . . 7 | |||
| 3.15. Extended DNS Error Code 14 - Not Ready . . . . . . . . . 7 | 3.15. Extended DNS Error Code 14 - Not Ready . . . . . . . . . 7 | |||
| 3.16. Extended DNS Error Code 15 - Blocked . . . . . . . . . . 7 | 3.16. Extended DNS Error Code 15 - Blocked . . . . . . . . . . 7 | |||
| 3.17. Extended DNS Error Code 16 - Censored . . . . . . . . . . 7 | 3.17. Extended DNS Error Code 16 - Censored . . . . . . . . . . 7 | |||
| 3.18. Extended DNS Error Code 17 - Filtered . . . . . . . . . . 7 | 3.18. Extended DNS Error Code 17 - Filtered . . . . . . . . . . 7 | |||
| 3.19. Extended DNS Error Code 17 - Prohibited . . . . . . . . . 7 | 3.19. Extended DNS Error Code 18 - Prohibited . . . . . . . . . 7 | |||
| 3.20. Extended DNS Error Code 19 - Stale NXDOMAIN Answer . . . 7 | 3.20. Extended DNS Error Code 19 - Stale NXDOMAIN Answer . . . 7 | |||
| 3.21. Extended DNS Error Code 20 - Not Authoritative . . . . . 7 | 3.21. Extended DNS Error Code 20 - Not Authoritative . . . . . 8 | |||
| 3.22. Extended DNS Error Code 21 - Deprecated . . . . . . . . . 8 | 3.22. Extended DNS Error Code 21 - Not Supported . . . . . . . 8 | |||
| 3.23. Extended DNS Error Code 22 - No Reachable Authority . . . 8 | 3.23. Extended DNS Error Code 22 - No Reachable Authority . . . 8 | |||
| 3.24. Extended DNS Error Code 23 - Network Error . . . . . . . 8 | 3.24. Extended DNS Error Code 23 - Network Error . . . . . . . 8 | |||
| 3.25. Extended DNS Error Code 24 - Invalid Data . . . . . . . . 8 | 3.25. Extended DNS Error Code 24 - Invalid Data . . . . . . . . 8 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 4.1. A New Extended DNS Error Code EDNS Option . . . . . . . . 8 | 4.1. A New Extended DNS Error Code EDNS Option . . . . . . . . 8 | |||
| 4.2. New Registry Table for Extended DNS Error Codes . . . . . 8 | 4.2. New Registry Table for Extended DNS Error Codes . . . . . 8 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 12 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 12 | |||
| skipping to change at page 3, line 20 ¶ | skipping to change at page 3, line 20 ¶ | |||
| There are many reasons that a DNS query may fail, some of them | There are many reasons that a DNS query may fail, some of them | |||
| transient, some permanent; some can be resolved by querying another | transient, some permanent; some can be resolved by querying another | |||
| server, some are likely best handled by stopping resolution. | server, some are likely best handled by stopping resolution. | |||
| Unfortunately, the error signals that a DNS server can return are | Unfortunately, the error signals that a DNS server can return are | |||
| very limited, and are not very expressive. This means that | very limited, and are not very expressive. This means that | |||
| applications and resolvers often have to "guess" at what the issue is | applications and resolvers often have to "guess" at what the issue is | |||
| - e.g. was the answer marked REFUSED because of a lame delegation, or | - e.g. was the answer marked REFUSED because of a lame delegation, or | |||
| because the nameserver is still starting up and loading zones? Is a | because the nameserver is still starting up and loading zones? Is a | |||
| SERVFAIL a DNSSEC validation issue, or is the nameserver experiencing | SERVFAIL a DNSSEC validation issue, or is the nameserver experiencing | |||
| some other failure? | some other failure? What error messages should be presented to the | |||
| user or logged under these conditions? | ||||
| A good example of issues that would benefit by additional error | A good example of issues that would benefit by additional error | |||
| information are errors caused by DNSSEC validation issues. When a | information are errors caused by DNSSEC validation issues. When a | |||
| stub resolver queries a name which is DNSSEC bogus (using a | stub resolver queries a name which is DNSSEC bogus (using a | |||
| validating resolver), the stub resolver receives only a SERVFAIL in | validating resolver), the stub resolver receives only a SERVFAIL in | |||
| response. Unfortunately, the SERVFAIL Response Code (RCODE) is used | response. Unfortunately, the SERVFAIL Response Code (RCODE) is used | |||
| to signal many sorts of DNS errors, and so the stub resolvers only | to signal many sorts of DNS errors, and so the stub resolvers only | |||
| option is to ask the next configured DNS resolver. The result of | option is to ask the next configured DNS resolver. The result of | |||
| trying the next resolver is one of two outcomes: either the next | trying the next resolver is one of two outcomes: either the next | |||
| resolver also validates, and a SERVFAIL is returned again or the next | resolver also validates, and a SERVFAIL is returned again or the next | |||
| skipping to change at page 4, line 4 ¶ | skipping to change at page 4, line 5 ¶ | |||
| and thus different systems (stub resolvers, recursive resolvers, and | and thus different systems (stub resolvers, recursive resolvers, and | |||
| authoritative resolvers) might receive and use them. | authoritative resolvers) might receive and use them. | |||
| This document does not allow or prohibit any particular extended | This document does not allow or prohibit any particular extended | |||
| error codes and information to be matched with any particular RCODEs. | error codes and information to be matched with any particular RCODEs. | |||
| Some combinations of extended error codes and RCODEs may seem | Some combinations of extended error codes and RCODEs may seem | |||
| nonsensical (such as resolver-specific extended error codes in | nonsensical (such as resolver-specific extended error codes in | |||
| responses from authoritative servers), so systems interpreting the | responses from authoritative servers), so systems interpreting the | |||
| extended error codes MUST NOT assume that a combination will make | extended error codes MUST NOT assume that a combination will make | |||
| sense. Receivers MUST be able to accept EDE codes and EXTRA-TEXT in | sense. Receivers MUST be able to accept EDE codes and EXTRA-TEXT in | |||
| all messages, including those with a NOERROR RCODE. Receivers MUST | all messages, including those with a NOERROR RCODE. Applications | |||
| NOT change the processing of RCODEs in messages based on extended | MUST continue to follow requirements from applicable specs on how to | |||
| error codes. | process RCODEs no matter what EDE values is also received | |||
| 1.1. Requirements notation | 1.1. Requirements notation | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 2. Extended Error EDNS0 option format | 2. Extended Error EDNS0 option format | |||
| This draft uses an EDNS0 ([RFC2671]) option to include Extended DNS | This draft uses an EDNS0 ([RFC2671]) option to include Extended DNS | |||
| skipping to change at page 4, line 34 ¶ | skipping to change at page 4, line 35 ¶ | |||
| +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | |||
| 2: | OPTION-LENGTH | | 2: | OPTION-LENGTH | | |||
| +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | |||
| 4: | INFO-CODE | | 4: | INFO-CODE | | |||
| +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | |||
| 6: / EXTRA-TEXT ... / | 6: / EXTRA-TEXT ... / | |||
| +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | |||
| Field definition details: | Field definition details: | |||
| o OPTION-CODE, 2 octets (defined in [RFC6891]]), for EDE is TBD. | o OPTION-CODE, 2-octets/16-bits (defined in [RFC6891]]), for EDE is | |||
| [RFC Editor: change TBD to the proper code once assigned by IANA.] | TBD. [RFC Editor: change TBD to the proper code once assigned by | |||
| o OPTION-LENGTH, 2 octets ((defined in [RFC6891]]) contains the | IANA.] | |||
| length of the payload (everything after OPTION-LENGTH) in octets | o OPTION-LENGTH, 2-octets/16-bits ((defined in [RFC6891]]) contains | |||
| and should be 4 plus the length of the EXTRA-TEXT section (which | the length of the payload (everything after OPTION-LENGTH) in | |||
| may be a zero-length string). | octets and should be 4 plus the length of the EXTRA-TEXT section | |||
| (which may be a zero-length string). | ||||
| o INFO-CODE, 16-bits, which is the principal contribution of this | o INFO-CODE, 16-bits, which is the principal contribution of this | |||
| document. This 16-bit value, encoded in network (MSB) byte order, | document. This 16-bit value, encoded in network (MSB) byte order, | |||
| provides the additional context for the RESPONSE-CODE of the DNS | provides the additional context for the RESPONSE-CODE of the DNS | |||
| message. The INFO-CODE serves as an index into the "Extended DNS | message. The INFO-CODE serves as an index into the "Extended DNS | |||
| Errors" registry Section 4.1. | Errors" registry Section 4.1. | |||
| o EXTRA-TEXT, a variable length, UTF-8 encoded, text field that may | o EXTRA-TEXT, a variable length, UTF-8 encoded, text field that may | |||
| hold additional textual information. Note: EXTRA-TEXT may be zero | hold additional textual information. Note: EXTRA-TEXT may be zero | |||
| octets in length, indicating there is no EXTRA-TEXT included. | octets in length, indicating there is no EXTRA-TEXT included. | |||
| Care should be taken not to leak private information that an | Care should be taken not to leak private information that an | |||
| observer would not otherwise have access to, such as account | observer would not otherwise have access to, such as account | |||
| skipping to change at page 6, line 17 ¶ | skipping to change at page 6, line 19 ¶ | |||
| The resolver attempted to perform DNSSEC validation, but validation | The resolver attempted to perform DNSSEC validation, but validation | |||
| ended in the Indeterminate state [RFC4035]. | ended in the Indeterminate state [RFC4035]. | |||
| 3.7. Extended DNS Error Code 6 - DNSSEC Bogus | 3.7. Extended DNS Error Code 6 - DNSSEC Bogus | |||
| The resolver attempted to perform DNSSEC validation, but validation | The resolver attempted to perform DNSSEC validation, but validation | |||
| ended in the Bogus state. | ended in the Bogus state. | |||
| 3.8. Extended DNS Error Code 7 - Signature Expired | 3.8. Extended DNS Error Code 7 - Signature Expired | |||
| The resolver attempted to perform DNSSEC validation, but all | The resolver attempted to perform DNSSEC validation, but no | |||
| signatures in an RRset in the validation chain were expired. | signatures are presently valid and some (often all) are expired. | |||
| 3.9. Extended DNS Error Code 8 - Signature Not Yet Valid | 3.9. Extended DNS Error Code 8 - Signature Not Yet Valid | |||
| The resolver attempted to perform DNSSEC validation, but all the | The resolver attempted to perform DNSSEC validation, but but no | |||
| signatures received were not yet valid. | signatures are presently valid and at least some are not yet valid. | |||
| 3.10. Extended DNS Error Code 9 - DNSKEY Missing | 3.10. Extended DNS Error Code 9 - DNSKEY Missing | |||
| A DS record existed at a parent, but no supported matching DNSKEY | A DS record existed at a parent, but no supported matching DNSKEY | |||
| record could be found for the child. | record could be found for the child. | |||
| 3.11. Extended DNS Error Code 10 - RRSIGs Missing | 3.11. Extended DNS Error Code 10 - RRSIGs Missing | |||
| The resolver attempted to perform DNSSEC validation, but no RRSIGs | The resolver attempted to perform DNSSEC validation, but no RRSIGs | |||
| could be found for at least one RRset where RRSIGs were expected. | could be found for at least one RRset where RRSIGs were expected. | |||
| skipping to change at page 6, line 48 ¶ | skipping to change at page 7, line 7 ¶ | |||
| Bit was set in a DNSKEY. | Bit was set in a DNSKEY. | |||
| 3.13. Extended DNS Error Code 12 - NSEC Missing | 3.13. Extended DNS Error Code 12 - NSEC Missing | |||
| The resolver attempted to perform DNSSEC validation, but the | The resolver attempted to perform DNSSEC validation, but the | |||
| requested data was missing and a covering NSEC or NSEC3 was not | requested data was missing and a covering NSEC or NSEC3 was not | |||
| provided. | provided. | |||
| 3.14. Extended DNS Error Code 13 - Cached Error | 3.14. Extended DNS Error Code 13 - Cached Error | |||
| The resolver has Cached SERVFAIL for this query. | The resolver is returning the SERVFAIL RCODE from its cache. | |||
| 3.15. Extended DNS Error Code 14 - Not Ready | 3.15. Extended DNS Error Code 14 - Not Ready | |||
| The server is unable to answer the query as it is not fully | The server is unable to answer the query as it is not fully | |||
| functional (yet). | functional (yet). | |||
| 3.16. Extended DNS Error Code 15 - Blocked | 3.16. Extended DNS Error Code 15 - Blocked | |||
| The server is unable to respond to the request because the domain is | The server is unable to respond to the request because the domain is | |||
| blacklisted due to an internal security policy imposed by the | blacklisted due to an internal security policy imposed by the | |||
| skipping to change at page 7, line 29 ¶ | skipping to change at page 7, line 33 ¶ | |||
| blacklisted by a security policy imposed upon the server being talked | blacklisted by a security policy imposed upon the server being talked | |||
| to by an external requirement. Note that how the imposed policy is | to by an external requirement. Note that how the imposed policy is | |||
| applied is irrelevant (in-band DNS filtering, court order, etc). | applied is irrelevant (in-band DNS filtering, court order, etc). | |||
| 3.18. Extended DNS Error Code 17 - Filtered | 3.18. Extended DNS Error Code 17 - Filtered | |||
| The server is unable to respond to the request because the domain is | The server is unable to respond to the request because the domain is | |||
| blacklisted as requested by the client. Functionally, this amounts | blacklisted as requested by the client. Functionally, this amounts | |||
| to "you requested that we filter domains like this one." | to "you requested that we filter domains like this one." | |||
| 3.19. Extended DNS Error Code 17 - Prohibited | 3.19. Extended DNS Error Code 18 - Prohibited | |||
| An authoritative or recursive resolver that receives a query from an | An authoritative or recursive resolver that receives a query from an | |||
| "unauthorized" client can annotate its REFUSED message with this | "unauthorized" client can annotate its REFUSED message with this | |||
| code. Examples of "unauthorized" clients are recursive queries from | code. Examples of "unauthorized" clients are recursive queries from | |||
| IP addresses outside the network, blacklisted IP addresses, local | IP addresses outside the network, blacklisted IP addresses, local | |||
| policy, etc. | policy, etc. | |||
| 3.20. Extended DNS Error Code 19 - Stale NXDOMAIN Answer | 3.20. Extended DNS Error Code 19 - Stale NXDOMAIN Answer | |||
| The resolver was unable to resolve an answer within its configured | The resolver was unable to resolve an answer within its configured | |||
| time limits and decided to answer with a previously cached NXDOMAIN | time limits and decided to answer with a previously cached NXDOMAIN | |||
| answer instead of answering with an error. This is typically caused | answer instead of answering with an error. This is may be caused, | |||
| by problems communicating with an authoritative server, possibly as | for example, by problems communicating with an authoritative server, | |||
| result of a DoS attack against another network. | possibly as result of a DoS attack against another network. | |||
| 3.21. Extended DNS Error Code 20 - Not Authoritative | 3.21. Extended DNS Error Code 20 - Not Authoritative | |||
| An authoritative server that receives a query (with the RD bit clear, | An authoritative server that receives a query (with the RD bit clear, | |||
| or when not configured for recursion) for a domain for which it is | or when not configured for recursion) for a domain for which it is | |||
| not authoritative SHOULD include this EDE code in the REFUSED | not authoritative SHOULD include this EDE code in the REFUSED | |||
| response. A resolver that receives a query (with the RD bit clear) | response. A resolver that receives a query (with the RD bit clear) | |||
| SHOULD include this EDE code in the REFUSED response. | SHOULD include this EDE code in the REFUSED response. | |||
| 3.22. Extended DNS Error Code 21 - Deprecated | 3.22. Extended DNS Error Code 21 - Not Supported | |||
| The requested operation or query is not supported as its use has been | The requested operation or query is not supported as its use has been | |||
| deprecated. | deprecated. | |||
| 3.23. Extended DNS Error Code 22 - No Reachable Authority | 3.23. Extended DNS Error Code 22 - No Reachable Authority | |||
| The resolver could not reach any of the authoritative name servers | The resolver could not reach any of the authoritative name servers | |||
| (or they refused to reply). | (or they refused to reply). | |||
| 3.24. Extended DNS Error Code 23 - Network Error | 3.24. Extended DNS Error Code 23 - Network Error | |||
| skipping to change at page 10, line 44 ¶ | skipping to change at page 10, line 51 ¶ | |||
| INFO-CODE: 19 | INFO-CODE: 19 | |||
| Purpose: Stale NXDomain Answer | Purpose: Stale NXDomain Answer | |||
| Reference: Section 3.20 | Reference: Section 3.20 | |||
| INFO-CODE: 20 | INFO-CODE: 20 | |||
| Purpose: Not Authoritative | Purpose: Not Authoritative | |||
| Reference: Section 3.21 | Reference: Section 3.21 | |||
| INFO-CODE: 21 | INFO-CODE: 21 | |||
| Purpose: Deprecated | Purpose: Not Supported | |||
| Reference: Section 3.22 | Reference: Section 3.22 | |||
| INFO-CODE: 22 | INFO-CODE: 22 | |||
| Purpose: No Reachable Authority | Purpose: No Reachable Authority | |||
| Reference: Section 3.23 | Reference: Section 3.23 | |||
| INFO-CODE: 23 | INFO-CODE: 23 | |||
| Purpose: Network Error | Purpose: Network Error | |||
| Reference: Section 3.24 | Reference: Section 3.24 | |||
| skipping to change at page 11, line 33 ¶ | skipping to change at page 11, line 40 ¶ | |||
| would not trust any unauthenticated information, but until we live in | would not trust any unauthenticated information, but until we live in | |||
| an era where all DNS answers are authenticated via DNSSEC or other | an era where all DNS answers are authenticated via DNSSEC or other | |||
| mechanisms [RFC2845] [RFC8094], there are some tradeoffs. As an | mechanisms [RFC2845] [RFC8094], there are some tradeoffs. As an | |||
| example, an attacker who is able to insert the DNSSEC Bogus Extended | example, an attacker who is able to insert the DNSSEC Bogus Extended | |||
| Error into a packet could instead simply reply with a fictitious | Error into a packet could instead simply reply with a fictitious | |||
| address (A or AAAA) record. Note that DNS Response Codes also | address (A or AAAA) record. Note that DNS Response Codes also | |||
| contain no authentication and can be just as easily manipulated. | contain no authentication and can be just as easily manipulated. | |||
| 6. Acknowledgements | 6. Acknowledgements | |||
| The authors wish to thank Joe Abley, Mark Andrews, Vittorio Bertola, | The authors wish to thank Joe Abley, Mark Andrews, Tim April, | |||
| Stephane Bortzmeyer, Vladimir Cunat, Ralph Dolmans, Peter DeVries, | Vittorio Bertola, Stephane Bortzmeyer, Vladimir Cunat, Ralph Dolmans, | |||
| Peter van Dijk, Mats Dufberg, Donald Eastlake, Bob Harold, Paul | Peter DeVries, Peter van Dijk, Mats Dufberg, Donald Eastlake, Bob | |||
| Hoffman, Geoff Huston, Shane Kerr, Edward Lewis, Carlos M. Martinez, | Harold, Paul Hoffman, Geoff Huston, Shane Kerr, Edward Lewis, Carlos | |||
| George Michelson, Eric Orth, Michael Sheldon, Puneet Sood, Petr | M. Martinez, George Michelson, Eric Orth, Michael Sheldon, Puneet | |||
| Spacek, Ondrej Sury, John Todd, Loganaden Velvindron, and Paul Vixie. | Sood, Petr Spacek, Ondrej Sury, John Todd, Loganaden Velvindron, and | |||
| They also vaguely remember discussing this with a number of people | Paul Vixie. They also vaguely remember discussing this with a number | |||
| over the years, but have forgotten who all they were -- if you were | of people over the years, but have forgotten who all they were -- if | |||
| one of them, and are not listed, please let us know and we'll | you were one of them, and are not listed, please let us know and | |||
| acknowledge you. | we'll acknowledge you. | |||
| One author also wants to thank the band "Infected Mushroom" for | One author also wants to thank the band "Infected Mushroom" for | |||
| providing a good background soundtrack (and to see if he can get away | providing a good background soundtrack (and to see if he can get away | |||
| with this in an RFC!) Another author would like to thank the band | with this in an RFC!) Another author would like to thank the band | |||
| "Mushroom Infectors". This was funny at the time we wrote it, but we | "Mushroom Infectors". This was funny at the time we wrote it, but we | |||
| cannot remember why... | cannot remember why... | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| End of changes. 18 change blocks. | ||||
| 39 lines changed or deleted | 41 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||