Re: Last Call: 'Minimally Covering NSEC Records and DNSSEC On-line Signing' to Proposed Standard
Geoffrey Sisson <geoff@nominet.org.uk> Mon, 05 December 2005 18:05 UTC
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EjKiG-0001q5-K7 for dnsext-archive@megatron.ietf.org; Mon, 05 Dec 2005 13:05:20 -0500
Received: from psg.com (mailnull@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA21463 for <dnsext-archive@lists.ietf.org>; Mon, 5 Dec 2005 13:04:29 -0500 (EST)
Received: from majordom by psg.com with local (Exim 4.60 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1EjKfL-000FBc-P0 for namedroppers-data@psg.com; Mon, 05 Dec 2005 18:02:19 +0000
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on psg.com
X-Spam-Status: No, score=-1.2 required=5.0 tests=AWL,BAYES_00,BIZ_TLD autolearn=no version=3.1.0
Received: from [213.248.199.23] (helo=mx3.nominet.org.uk) by psg.com with esmtp (Exim 4.60 (FreeBSD)) (envelope-from <geoff@nominet.org.uk>) id 1EjKfK-000FBO-Jn for namedroppers@ops.ietf.org; Mon, 05 Dec 2005 18:02:18 +0000
Received: from staff.nominet.org.uk ([213.248.199.129]) by mx3.nominet.org.uk with ESMTP; 05 Dec 2005 18:02:17 +0000
X-IronPort-AV: i="3.99,217,1131321600"; d="scan'208"; a="2046731:sNHT28530024"
Received: (from geoff@localhost) by staff.nominet.org.uk (8.12.9/8.12.9) id jB5I2Fw2000075; Mon, 5 Dec 2005 18:02:15 GMT
Date: Mon, 05 Dec 2005 18:02:15 +0000
From: Geoffrey Sisson <geoff@nominet.org.uk>
Message-Id: <200512051802.jB5I2Fw2000075@staff.nominet.org.uk>
To: Edward Lewis <Ed.Lewis@neustar.biz>
Subject: Re: Last Call: 'Minimally Covering NSEC Records and DNSSEC On-line Signing' to Proposed Standard
Cc: namedroppers@ops.ietf.org, iesg@ietf.org
In-Reply-To: <a06200700bfba0b9b435c@[10.31.32.96]>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Edward Lewis <Ed.Lewis@neustar.biz> wrotes: > At 15:13 +0000 12/5/05, Geoffrey Sisson wrote: > > >Note that -ietf-dnsext-dns-name-p-s has been requested for publication > >as Experimental, so it's not part of the protocol. The described > >methods are provided as an aid to implementors and are not normative. > > I hate dropping into document politics as a backdrop for a technical > discussion. I mean, I just wanted to re-express the original intent > because I think the solution is more complicated than it need to be. Hi Ed, This was in response to your comment: > I think it's unwise to design a standard part of the protocol based on > the data content of the zone. It was simply to clarify that the methods described in draft-ietf-dnsext-dns-name-p-s are not part of the NSEC epsilon protocol, but are implementation details that may be disregarded without protocol violation. The NSEC epsilon protocol is defined solely by draft-ietf-dnsext-dnssec-online-signing. I'm not sure how I was invoking document politics by attempting make this clarification. > >The "modified method" would be quite broken for some types of zones, > >e.g. ones with lots of deeply-nested empty non-terminals. For example: > > > > $ORIGIN 5.6.8.1.4.4.e164.arpa. > > > > 1.1.2.2.3.3 IN NAPTR <blah> > > > > 9.9.2.2.3.3 IN NAPTR <blah> > > [snip] > E.g., in the example you raise, enumeration isn't an issue, so I'd say > it's a bad example to use in the sense that it isn't a realistic dilemma. You may prefer this real-life example: We at Nominet maintain a zone for the sch.uk domain with the following structure: $ORIGIN sch.uk. <school>.<locality> IN NS <nameserver 1> <school>.<locality> IN NS <nameserver 2> e.g.: ------------------------ Begin included text ------------------------ . . . appleton.oxon IN NS ns0.netcentral.co.uk. appleton.oxon IN NS ns1.netcentral.co.uk. aston-and-cote IN NS ns0.netcentral.co.uk. aston-and-cote IN NS ns1.netcentral.co.uk. . . . ------------------------- End included text ------------------------- For a query with QNAME asbo.oxon.sh.uk., using the modified method would result in this NSEC RR: oxom\255{59}.sch.uk. IN NSEC oxon\000.sch.uk. NSEC RRSIG The response could then be used to deny the existence of any of the 300+ DNS names in the oxon.sch.uk. domain. In fact, the existence of _any_ desired DNS name in .sch.uk could be trivially denied by generating a suitable QNAME and then replaying the result. > The essence of my comment is that the attempts to remove > enumerability from DNSSEC mean "violating" assumptions made in the > decision tree [1] used long ago to arrive at the NXT record. I think this more a comment on draft-ietf-dnsext-dnssec-online-signing than on draft-ietf-dnsext-dns-name-p-s (which is a supporting document for the former). > Being an > approximation, there will be in accuracies. The question isn't > whether there are, but whether the inaccuracy will cause a problem. I hope I've been persuasive that the use of the "modified method" with some zones will result in unacceptable inaccuracies, which is why it's not the only one presented. Geoff -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Last Call: 'Minimally Covering NSEC Records and D… The IESG
- Re: Last Call: 'Minimally Covering NSEC Records a… Ben Laurie
- Re: Last Call: 'Minimally Covering NSEC Records a… Olaf M. Kolkman
- Re: Last Call: 'Minimally Covering NSEC Records a… Roy Arends
- Re: Last Call: 'Minimally Covering NSEC Records a… Edward Lewis
- Re: Last Call: 'Minimally Covering NSEC Records a… Roy Arends
- Re: Last Call: 'Minimally Covering NSEC Records a… Ben Laurie
- Re: Last Call: 'Minimally Covering NSEC Records a… Edward Lewis
- Re: Last Call: 'Minimally Covering NSEC Records a… Geoffrey Sisson
- Re: Last Call: 'Minimally Covering NSEC Records a… Mark Andrews
- Re: Last Call: 'Minimally Covering NSEC Records a… Geoffrey Sisson
- Re: Last Call: 'Minimally Covering NSEC Records a… Olaf M. Kolkman
- Re: Last Call: 'Minimally Covering NSEC Records a… Paul Vixie
- Re: Last Call: 'Minimally Covering NSEC Records a… Ben Laurie
- Re: Last Call: 'Minimally Covering NSEC Records a… Edward Lewis
- Re: Last Call: 'Minimally Covering NSEC Records a… Paul Vixie
- Re: Last Call: 'Minimally Covering NSEC Records a… Roy Arends
- Re: Last Call: 'Minimally Covering NSEC Records a… Roy Arends
- Re: Last Call: 'Minimally Covering NSEC Records a… Geoffrey Sisson
- Re: Last Call: 'Minimally Covering NSEC Records a… Olaf M. Kolkman
- Re: Last Call: 'Minimally Covering NSEC Records a… Samuel Weiler
- Re: editorial comment on DNSEXT WG's Minimally Co… Samuel Weiler
- editorial comment on DNSEXT WG's Minimally Coveri… Edward Lewis