idnits 2.17.1 

draft-carpay-extra-ede-codes-dnssec-bogus-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (25 February 2022) is 781 days in the past.  Is this
     intentional?


  Checking references for intended status: Experimental
  ----------------------------------------------------------------------------

     No issues found here.

     Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.
--------------------------------------------------------------------------------


2	Network Working Group                                          T. Carpay
3	Internet-Draft                                                 W. Toorop
4	Intended status: Experimental                                 NLnet Labs
5	Expires: 29 August 2022                                 25 February 2022

7	         Extra Extended DNS Error codes for DNSSEC status bogus
8	              draft-carpay-extra-ede-codes-dnssec-bogus-00

10	Abstract

12	   While implementing Extended DNS Errors (RFC8914) in our DNSSEC
13	   validating resolver software Unbound, we encountered this specific
14	   situations regarding the DNSSEC bogus status where no Extended DNS
15	   Error were yet defined.  This draft serves as a reference for code
16	   points requests.

18	Status of This Memo

20	   This Internet-Draft is submitted in full conformance with the
21	   provisions of BCP 78 and BCP 79.

23	   Internet-Drafts are working documents of the Internet Engineering
24	   Task Force (IETF).  Note that other groups may also distribute
25	   working documents as Internet-Drafts.  The list of current Internet-
26	   Drafts is at https://datatracker.ietf.org/drafts/current/.

28	   Internet-Drafts are draft documents valid for a maximum of six months
29	   and may be updated, replaced, or obsoleted by other documents at any
30	   time.  It is inappropriate to use Internet-Drafts as reference
31	   material or to cite them other than as "work in progress."

33	   This Internet-Draft will expire on 29 August 2022.

35	Copyright Notice

37	   Copyright (c) 2022 IETF Trust and the persons identified as the
38	   document authors.  All rights reserved.

40	   This document is subject to BCP 78 and the IETF Trust's Legal
41	   Provisions Relating to IETF Documents (https://trustee.ietf.org/
42	   license-info) in effect on the date of publication of this document.
43	   Please review these documents carefully, as they describe your rights
44	   and restrictions with respect to this document.  Code Components
45	   extracted from this document must include Revised BSD License text as
46	   described in Section 4.e of the Trust Legal Provisions and are
47	   provided without warranty as described in the Revised BSD License.

49	Table of Contents

51	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
52	     1.1.  Extended DNS Error Code 26 - Signature Wrong Size . . . .   2
53	     1.2.  Extended DNS Error Code 27 - Malformed Signer Name  . . .   2
54	     1.3.  Extended DNS Error Code 28 - Signer Name Out of zone  . .   2
55	     1.4.  Extended DNS Error Code 29 - Signature Label Count
56	           Wrong . . . . . . . . . . . . . . . . . . . . . . . . . .   2
57	     1.5.  Extended DNS Error Code 30 - DNSSEC Insufficient NSEC
58	           Proof . . . . . . . . . . . . . . . . . . . . . . . . . .   3
59	     1.6.  Extended DNS Error Code 31 - DNSSEC Unknown Protocol  . .   3
60	   2.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   3
61	   3.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
62	   4.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   3
63	     4.1.  Normative References  . . . . . . . . . . . . . . . . . .   3
64	     4.2.  Informative References  . . . . . . . . . . . . . . . . .   3
65	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   3

67	1.  Introduction

69	   While implementing Extended DNS Errors ([RFC8914]) in our DNSSEC
70	   validating resolver software Unbound ([UNBOUNDPR]), we encountered
71	   this specific situations regarding the DNSSEC bogus status where no
72	   Extended DNS Error were yet defined.

74	1.1.  Extended DNS Error Code 26 - Signature Wrong Size

76	   The resolver attempted to perform DNSSEC validation, but the
77	   signature is either smaller or larger than expected for the specified
78	   algorithm.

80	1.2.  Extended DNS Error Code 27 - Malformed Signer Name

82	   The resolver attempted to perform DNSSEC validation, but the Signer's
83	   Name Field in the signature contains a malformed signer (d)name.

85	1.3.  Extended DNS Error Code 28 - Signer Name Out of zone

87	   The resolver attempted to perform DNSSEC validation, but the Signer's
88	   Name Field in the signature does not contain the zone name of the
89	   covered RRset.

91	1.4.  Extended DNS Error Code 29 - Signature Label Count Wrong

93	   The resolver attempted to perform DNSSEC validation, but the number
94	   of labels in the Signature Labels Field is incorrect.

96	1.5.  Extended DNS Error Code 30 - DNSSEC Insufficient NSEC Proof

98	   The resolver attempted to perform DNSSEC validation, but the signed
99	   response does not have valid NSEC proof.

101	1.6.  Extended DNS Error Code 31 - DNSSEC Unknown Protocol

103	   The resolver attempted to perform DNSSEC validation, but found a
104	   value not equal to 3 in the DNSKEY protocol number field as specified
105	   by RFC4034#section-2.1.2.

107	2.  IANA Considerations

109	   This draft requests the assignment of a new EDE code values for the
110	   specified EDE codes.

112	3.  Security Considerations

114	   As this draft only seeks to add code points to the EDE registry, the
115	   security considerations as the same as in [RFC8914].

117	4.  References

119	4.1.  Normative References

121	   [RFC8914]  Kumari, W., Hunt, E., Arends, R., Hardaker, W., and D.
122	              Lawrence, "Extended DNS Errors", RFC 8914,
123	              DOI 10.17487/RFC8914, October 2020,
124	              <https://www.rfc-editor.org/info/rfc8914>.

126	4.2.  Informative References

128	   [UNBOUNDPR]
129	              Carpay, T. and W. Toorop, "EDE for Unbound pull request",
130	              n.d., <https://github.com/NLnetLabs/unbound/pull/604/>.

132	Authors' Addresses

134	   Tom Carpay
135	   NLnet Labs
136	   Email: tom@nlnetlabs.nl

138	   Willem Toorop
139	   NLnet Labs
140	   Email: willem@nlnetlabs.nl