On Sat, 16 Jun 2018, RFC Errata System wrote:
Original Text
-------------
DNS records that would be
classified "indeterminate" in the sense of [RFC4035] are simply
classified as "insecure".
Corrected Text
--------------
DNS records that would be
classified "indeterminate" in the sense of [RFC4033] are simply
classified as "insecure".
Whether original or corrected text, what it does here worried me more.
The RFC opens with:
Abstract
This memo describes a downgrade-resistant protocol [...]
Not really downgrade-resistant if I can just strip some RRSIGs from
the packets to make it fail open. So this text is confusing.
But it does make that clear in 2.1.2:
If any DNS queries used to locate
TLSA records fail (due to "bogus" or "indeterminate" records,
timeouts, malformed replies, SERVFAIL responses, etc.), then the SMTP
client MUST treat that server as unreachable and MUST NOT deliver the
message via that server.
I'm not sure if that's worth bringing into the errata. If we have the
errata as is, it might actually mislead developers into thiking they
must treet an indeterminate response as insecure and use it for TLSA.
Paul
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
