Internet-Draft Extra DNSSEC EDE codes February 2022
Carpay & Toorop Expires 29 August 2022 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-carpay-extra-ede-codes-dnssec-bogus-00
Published:
Intended Status:
Experimental
Expires:
Authors:
T. Carpay
NLnet Labs
W. Toorop
NLnet Labs

Extra Extended DNS Error codes for DNSSEC status bogus

Abstract

While implementing Extended DNS Errors (RFC8914) in our DNSSEC validating resolver software Unbound, we encountered this specific situations regarding the DNSSEC bogus status where no Extended DNS Error were yet defined. This draft serves as a reference for code points requests.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 29 August 2022.

1. Introduction

While implementing Extended DNS Errors ([RFC8914]) in our DNSSEC validating resolver software Unbound ([UNBOUNDPR]), we encountered this specific situations regarding the DNSSEC bogus status where no Extended DNS Error were yet defined.

1.1. Extended DNS Error Code 26 - Signature Wrong Size

The resolver attempted to perform DNSSEC validation, but the signature is either smaller or larger than expected for the specified algorithm.

1.2. Extended DNS Error Code 27 - Malformed Signer Name

The resolver attempted to perform DNSSEC validation, but the Signer's Name Field in the signature contains a malformed signer (d)name.

1.3. Extended DNS Error Code 28 - Signer Name Out of zone

The resolver attempted to perform DNSSEC validation, but the Signer's Name Field in the signature does not contain the zone name of the covered RRset.

1.4. Extended DNS Error Code 29 - Signature Label Count Wrong

The resolver attempted to perform DNSSEC validation, but the number of labels in the Signature Labels Field is incorrect.

1.5. Extended DNS Error Code 30 - DNSSEC Insufficient NSEC Proof

The resolver attempted to perform DNSSEC validation, but the signed response does not have valid NSEC proof.

1.6. Extended DNS Error Code 31 - DNSSEC Unknown Protocol

The resolver attempted to perform DNSSEC validation, but found a value not equal to 3 in the DNSKEY protocol number field as specified by RFC4034#section-2.1.2.

2. IANA Considerations

This draft requests the assignment of a new EDE code values for the specified EDE codes.

3. Security Considerations

As this draft only seeks to add code points to the EDE registry, the security considerations as the same as in [RFC8914].

4. References

4.1. Normative References

[RFC8914]
Kumari, W., Hunt, E., Arends, R., Hardaker, W., and D. Lawrence, "Extended DNS Errors", RFC 8914, DOI 10.17487/RFC8914, , <https://www.rfc-editor.org/info/rfc8914>.

4.2. Informative References

[UNBOUNDPR]
Carpay, T. and W. Toorop, "EDE for Unbound pull request", n.d., <https://github.com/NLnetLabs/unbound/pull/604/>.

Authors' Addresses

Tom Carpay
NLnet Labs
Willem Toorop
NLnet Labs