On Mon, Nov 19, 2018 at 07:15:34PM +0530, Mukund Sivaraman wrote:
> Hi Stephen, Francis
>
> On Mon, Nov 19, 2018 at 04:56:50AM -0800, internet-dra...@ietf.org wrote:
> >
> > A New Internet-Draft is available from the on-line Internet-Drafts
> > directories.
> > This draft is a work item of the Domain Name System Operations WG of the
> > IETF.
> >
> > Title : Secret Key Transaction Authentication for DNS
> > (TSIG)
> > Authors : Francis Dupont
> > Stephen Morris
> > Paul Vixie
> > Donald E. Eastlake 3rd
> > Olafur Gudmundsson
> > Brian Wellington
> > Filename : draft-ietf-dnsop-rfc2845bis-02.txt
> > Pages : 26
> > Date : 2018-11-19
When investigating a TKEY related implementation bug, I notice that the
text in RFC 3645 is not very clearly written about prohibiting TSIG
signed responses for some error conditions (e.g., section 4.1.3 where
the writing seems to assume paragraph contexts). I recommend that you
check the various cases in RFC 3645 to make sure the protocol doesn't
allow inclusion of arbitrary or invalid request MAC in response TSIG MAC
computation, and state this so in the bis draft.
In any case, the text in the draft has to be updated for the relaxation
in RFC 3645 section 2.2. It wouldn't be so bad if the two RFCs can be
merged as part of this bis work.
Mukund
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
