IETF Logo Mail Archive

Re: [dnsext] Authenticated denial of existence...

Miek Gieben <miek@miek.nl> Wed, 20 November 2013 21:37 UTC

Return-Path: <miek@miek.nl>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D8BE1AE1E1 for <dnsext@ietfa.amsl.com>; Wed, 20 Nov 2013 13:37:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VsGdfCPUvZ6z for <dnsext@ietfa.amsl.com>; Wed, 20 Nov 2013 13:37:51 -0800 (PST)
Received: from mail-we0-f175.google.com (mail-we0-f175.google.com [74.125.82.175]) by ietfa.amsl.com (Postfix) with ESMTP id 4C44F1AE1DD for <dnsext@ietf.org>; Wed, 20 Nov 2013 13:37:51 -0800 (PST)
Received: by mail-we0-f175.google.com with SMTP id p61so5041154wes.6 for <dnsext@ietf.org>; Wed, 20 Nov 2013 13:37:44 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:mail-followup-to :references:mime-version:content-type:content-disposition :in-reply-to:user-agent; bh=fOdiix0/LLQYSfcwnHnx/pKnOvvTwZf41s45Ad9RIsk=; b=b624Ysyppa5nSIZg+FbYAGx57IdpLfEHySiintLX3fSmIbHcl41A8zTgWyXJfD5k2d Kw7VT58tR8cFPEooNpC4LHedb6KB486wBszvmBR1YfWOhLQidfQprX3Qros1J0PFTFTw ETbSEcpFYFNNRUatpMrrObCjxuPz/1g91dJ9mugva00EftlIgWcHqS/Q+amf6Q7meNxH 2fxPmu2xImQD/xmm5pmJr2pyWogKbmv6HY9K7If3A6yRU+hjes8JCd5XJlstwD9ecvKw Oh5CawX2XukD/SGVwrSjp2OXmq1WuzDoMP3H9s+5+3W9S1RnC9c5k3RnLo6YZrrcySzR JpDw==
X-Gm-Message-State: ALoCoQmvm81uX7kfkmtd/YBPc7MxzEn1aHAGfFk7vR0x2I4JTDrEKyVXm0b86iSkg5lneCj6jrxh
X-Received: by 10.194.123.8 with SMTP id lw8mr2628225wjb.40.1384983464389; Wed, 20 Nov 2013 13:37:44 -0800 (PST)
Received: from miek.nl (host86-145-158-57.range86-145.btcentralplus.com. [86.145.158.57]) by mx.google.com with ESMTPSA id ey4sm49016696wic.11.2013.11.20.13.37.43 for <multiple recipients> (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Wed, 20 Nov 2013 13:37:43 -0800 (PST)
Date: Wed, 20 Nov 2013 21:37:40 +0000
From: Miek Gieben <miek@miek.nl>
To: Ted Lemon <ted.lemon@nominum.com>, Jiankang Yao <yaojk@cnnic.cn>, "dnsext@ietf.org Group" <dnsext@ietf.org>
Message-ID: <20131120213740.GB30164@miek.nl>
Mail-Followup-To: Ted Lemon <ted.lemon@nominum.com>, Jiankang Yao <yaojk@cnnic.cn>, "dnsext@ietf.org Group" <dnsext@ietf.org>
References: <CFD6B510-D70E-4308-BF3E-B2E7C2ADCBEB@nominum.com> <201311201459364160303@cnnic.cn> <20131120075359.GA23121@miek.nl> <9978C9F9-598B-41B9-A938-C0E23EC58E5A@nominum.com> <20131120153819.GA12162@miek.nl> <20131120205053.1A8F5AA86C9@rock.dv.isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20131120205053.1A8F5AA86C9@rock.dv.isc.org>
User-Agent: Vim/Mutt/Linux
X-Home: http://www.miek.nl
Subject: Re: [dnsext] Authenticated denial of existence...
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2013 21:37:53 -0000

[ Quoting <marka@isc.org> in "Re: [dnsext] Authenticated denial o..." ]
> 
> You may want to have some discussion about the pointlessness of
> NSEC3 in highly structured zones like ip6.arpa and in-addr.arpa.
> These can be walked even with NSEC3 due to their structure.
> 
> You may want to point out that a NSEC proves the existance of all
> empty non-terminals between the two names in it hence contains the
> closest provable encloser.

Ack and ack. These would indeed be good things to add.

> There is a bias that NSEC3 is better than NSEC.  They are just
> different.  NSEC3 is actually worse for the typical trivial zone
> as it doesn't help with zone walking as you can guess the names and
> adds pointless computational load on both authoritative servers and
> validators.

I agree with your assertions, but I hope to keep the draft purely
technical.

Grtz, Miek

v2.39.1 | Report a Bug | By Email | System Status