[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

inconsistency between rfc 2136 and rfc 2845

To: namedroppers@ops.ietf.org
Subject: inconsistency between rfc 2136 and rfc 2845
From: Edward Lewis <edlewis@arin.net>
Date: Wed, 18 Sep 2002 08:16:17 -0400
Cc: edlewis@arin.net

During a Secure Dynamic Update tutorial at RIPE 43 a situation arose that seems to indicate a conflict between RFC 2136 (Dynamic Update) and RFC 2854 (Secret Key Authentication for DNS). The problem isn't major - the labeling of an error condition is the problem.

In 2136, we have this:

   2.2 - Message Header

...

   RCODE   Response code - this four bit field is undefined in requests
           and set in responses.  The values and meanings of this field
           within responses are as follows:

              Mneumonic   Value   Description
             ------------------------------------------------------------

...

             NOTAUTH     9       The server is not authoritative for
                                 the zone named in the Zone Section.

(Mnemonic is misspelled in the RFC text.)

In RFC 2854, we have this text:

3 - Protocol Operation

...

   3.2. TSIG processing on incoming messages

...

  If an incoming message contains a TSIG record, it MUST be the last

...

  ...........................................................  If the
  algorithm name or key name is unknown to the recipient, or if the
  message digests do not match, the whole DNS message MUST be
  discarded.  If the message is a query, a response with RCODE 9
  (NOTAUTH) MUST be sent back to the originator with TSIG ERROR 17
  (BADKEY) or TSIG ERROR 16 (BADSIG).  ....

The issue is that in 2136 "NOTAUTH" seems to mean not authoritative and in 2854 "NOTAUTH" seems to mean not authenticated.

The reason this was noticed was in the reply to an update where the key was undefined to the server but the update was to a name & type in the zone. Rightly so, the software determined that the request was not properly authenticated and followed 2854's words. But when I was trying to explain this in the tutorial, I found the 2136 definition to seem to indicate a different error.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-703-227-9854
ARIN Research Engineer

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: inconsistency between rfc 2136 and rfc 2845
  - From: Paul Vixie <paul@vix.com>
- Re: inconsistency between rfc 2136 and rfc 2845
  - From: Edward Lewis <edlewis@arin.net>

Prev by Date: Re: wildcards, dnssec, and opt-in
Next by Date: Re: opt-in and large zones
Previous by thread: opt-in and large zones
Next by thread: Re: inconsistency between rfc 2136 and rfc 2845
Index(es):
- Date
- Thread