IETF Logo Mail Archive

Re: [dnsext] NSEC4

Alex Bligh <alex@alex.org.uk> Wed, 04 January 2012 19:43 UTC

Return-Path: <alex@alex.org.uk>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 795B611E80A5 for <dnsext@ietfa.amsl.com>; Wed, 4 Jan 2012 11:43:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lyngpFXAZ9Vk for <dnsext@ietfa.amsl.com>; Wed, 4 Jan 2012 11:43:45 -0800 (PST)
Received: from mail.avalus.com (mail.avalus.com [89.16.176.221]) by ietfa.amsl.com (Postfix) with ESMTP id DC61D11E808F for <dnsext@ietf.org>; Wed, 4 Jan 2012 11:43:44 -0800 (PST)
Received: from [192.168.100.16] (lemondeh-adsl.demon.co.uk [83.105.105.209]) by mail.avalus.com (Postfix) with ESMTPSA id 3D07AC56126; Wed, 4 Jan 2012 19:43:40 +0000 (GMT)
Date: Wed, 04 Jan 2012 19:43:39 +0000
From: Alex Bligh <alex@alex.org.uk>
To: Matthijs Mekking <matthijs@NLnetLabs.nl>, Roy Arends <roy@nominet.org.uk>
Message-ID: <D3E76A95ED8345D1F635F172@nimrod.local>
In-Reply-To: <4F04329A.6040507@nlnetlabs.nl>
References: <20120104092946.GA4199@miek.nl> <40816163-6712-4FEF-9FE3-324A2A8BCA09@nominet.org.uk> <4F04329A.6040507@nlnetlabs.nl>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: dnsext list <dnsext@ietf.org>
Subject: Re: [dnsext] NSEC4
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Alex Bligh <alex@alex.org.uk>
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2012 19:43:45 -0000

Matthijs,

--On 4 January 2012 12:06:02 +0100 Matthijs Mekking <matthijs@NLnetLabs.nl> 
wrote:

> First of all, you mentioned that the "no hash" (or "zero hashing") was
> also discussed during the development of NSEC3. Unfortunately, it is
> hard (if not impossible) to define it as a new NSEC3 hash function:

Uggghh. If true, that is a shame.

> For
> "zero hashing" the Next (Hashed) Owner Name field cannot be base32
> encoded. Therefore, with our experiment we made the field a Domain Name.

I /think/ your explanation could be clarified a little. If I understand
things correctly, the issue is not that the Next (Hashed) Owner Name cannot
be base32 encoded (it isn't - it's in binary - see 3.1.6, 3.1.7 and the
last para of 3.2 of the RFC), but that the owner name of the NSEC3 RR needs
to be equal to the base32 encoded value of the previous Next (Hashed) Owner
Name, and as such cannot be guaranteed to fit in the Owner Name.

What we should have done is defined that mapping (base32 encoding here) as
part of the hash algorithm. What we also should have done is specified the
identity mapping as part of the standard. NSEC3 fatigue as someone said.

Unless I'm missing something, the Next (Hashed) Owner Name it seems to me
could be base32 encoded, provided that the encoded value does not exceed
255 bytes. I think that allows representation of up to 159 characters,
which might be useful to someone.

But I seem to remember that hash algorithm support signaling is a minefield
anyway.

-- 
Alex Bligh

v2.29.0 | Report a Bug | By Email | System Status