IETF Logo Mail Archive

Re: [dnsext] Authenticated denial of existence...

Mark Andrews <marka@isc.org> Wed, 20 November 2013 20:51 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E82FC1AE4C0 for <dnsext@ietfa.amsl.com>; Wed, 20 Nov 2013 12:51:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.426
X-Spam-Level:
X-Spam-Status: No, score=-7.426 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.525, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 68Ieu99uoEhI for <dnsext@ietfa.amsl.com>; Wed, 20 Nov 2013 12:51:16 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) by ietfa.amsl.com (Postfix) with ESMTP id 0C8081AE4B3 for <dnsext@ietf.org>; Wed, 20 Nov 2013 12:51:16 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id 1ACF32383A8 for <dnsext@ietf.org>; Wed, 20 Nov 2013 20:50:57 +0000 (UTC) (envelope-from marka@isc.org)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 5A86C16042E for <dnsext@ietf.org>; Wed, 20 Nov 2013 20:57:46 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 2DE981603E9 for <dnsext@ietf.org>; Wed, 20 Nov 2013 20:57:46 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 1A8F5AA86C9 for <dnsext@ietf.org>; Thu, 21 Nov 2013 07:50:53 +1100 (EST)
To: "dnsext@ietf.org Group" <dnsext@ietf.org>
From: Mark Andrews <marka@isc.org>
References: <CFD6B510-D70E-4308-BF3E-B2E7C2ADCBEB@nominum.com> <201311201459364160303@cnnic.cn> <20131120075359.GA23121@miek.nl> <9978C9F9-598B-41B9-A938-C0E23EC58E5A@nominum.com> <20131120153819.GA12162@miek.nl>
Mail-Followup-To: Ted Lemon <ted.lemon@nominum.com>, Jiankang Yao <yaojk@cnnic.cn>, "dnsext@ietf.org Group" <dnsext@ietf.org>
In-reply-to: Your message of "Wed, 20 Nov 2013 15:38:19 -0000." <20131120153819.GA12162@miek.nl>
Date: Thu, 21 Nov 2013 07:50:53 +1100
Message-Id: <20131120205053.1A8F5AA86C9@rock.dv.isc.org>
Subject: Re: [dnsext] Authenticated denial of existence...
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2013 20:51:18 -0000

You may want to have some discussion about the pointlessness of
NSEC3 in highly structured zones like ip6.arpa and in-addr.arpa.
These can be walked even with NSEC3 due to their structure.

You may want to point out that a NSEC proves the existance of all
empty non-terminals between the two names in it hence contains the
closest provable encloser.

There is a bias that NSEC3 is better than NSEC.  They are just
different.  NSEC3 is actually worse for the typical trivial zone
as it doesn't help with zone walking as you can guess the names and
adds pointless computational load on both authoritative servers and
validators.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.39.1 | Report a Bug | By Email | System Status