Network Working Group                                          T. Carpay
Internet-Draft                                                 W. Toorop
Intended status: Experimental                                 NLnet Labs
Expires: 29 August 2022                                 25 February 2022


         Extra Extended DNS Error codes for DNSSEC status bogus
              draft-carpay-extra-ede-codes-dnssec-bogus-00

Abstract

   While implementing Extended DNS Errors (RFC8914) in our DNSSEC
   validating resolver software Unbound, we encountered this specific
   situations regarding the DNSSEC bogus status where no Extended DNS
   Error were yet defined.  This draft serves as a reference for code
   points requests.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 29 August 2022.

Copyright Notice

   Copyright (c) 2022 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.




Carpay & Toorop          Expires 29 August 2022                 [Page 1]


Internet-Draft           Extra DNSSEC EDE codes            February 2022


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Extended DNS Error Code 26 - Signature Wrong Size . . . .   2
     1.2.  Extended DNS Error Code 27 - Malformed Signer Name  . . .   2
     1.3.  Extended DNS Error Code 28 - Signer Name Out of zone  . .   2
     1.4.  Extended DNS Error Code 29 - Signature Label Count
           Wrong . . . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.5.  Extended DNS Error Code 30 - DNSSEC Insufficient NSEC
           Proof . . . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.6.  Extended DNS Error Code 31 - DNSSEC Unknown Protocol  . .   3
   2.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   3
   3.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
   4.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   3
     4.1.  Normative References  . . . . . . . . . . . . . . . . . .   3
     4.2.  Informative References  . . . . . . . . . . . . . . . . .   3
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   3

1.  Introduction

   While implementing Extended DNS Errors ([RFC8914]) in our DNSSEC
   validating resolver software Unbound ([UNBOUNDPR]), we encountered
   this specific situations regarding the DNSSEC bogus status where no
   Extended DNS Error were yet defined.

1.1.  Extended DNS Error Code 26 - Signature Wrong Size

   The resolver attempted to perform DNSSEC validation, but the
   signature is either smaller or larger than expected for the specified
   algorithm.

1.2.  Extended DNS Error Code 27 - Malformed Signer Name

   The resolver attempted to perform DNSSEC validation, but the Signer's
   Name Field in the signature contains a malformed signer (d)name.

1.3.  Extended DNS Error Code 28 - Signer Name Out of zone

   The resolver attempted to perform DNSSEC validation, but the Signer's
   Name Field in the signature does not contain the zone name of the
   covered RRset.

1.4.  Extended DNS Error Code 29 - Signature Label Count Wrong

   The resolver attempted to perform DNSSEC validation, but the number
   of labels in the Signature Labels Field is incorrect.





Carpay & Toorop          Expires 29 August 2022                 [Page 2]


Internet-Draft           Extra DNSSEC EDE codes            February 2022


1.5.  Extended DNS Error Code 30 - DNSSEC Insufficient NSEC Proof

   The resolver attempted to perform DNSSEC validation, but the signed
   response does not have valid NSEC proof.

1.6.  Extended DNS Error Code 31 - DNSSEC Unknown Protocol

   The resolver attempted to perform DNSSEC validation, but found a
   value not equal to 3 in the DNSKEY protocol number field as specified
   by RFC4034#section-2.1.2.

2.  IANA Considerations

   This draft requests the assignment of a new EDE code values for the
   specified EDE codes.

3.  Security Considerations

   As this draft only seeks to add code points to the EDE registry, the
   security considerations as the same as in [RFC8914].

4.  References

4.1.  Normative References

   [RFC8914]  Kumari, W., Hunt, E., Arends, R., Hardaker, W., and D.
              Lawrence, "Extended DNS Errors", RFC 8914,
              DOI 10.17487/RFC8914, October 2020,
              <https://www.rfc-editor.org/info/rfc8914>.

4.2.  Informative References

   [UNBOUNDPR]
              Carpay, T. and W. Toorop, "EDE for Unbound pull request",
              n.d., <https://github.com/NLnetLabs/unbound/pull/604/>.

Authors' Addresses

   Tom Carpay
   NLnet Labs
   Email: tom@nlnetlabs.nl


   Willem Toorop
   NLnet Labs
   Email: willem@nlnetlabs.nl





Carpay & Toorop          Expires 29 August 2022                 [Page 3]