IETF Logo Mail Archive

Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.

"W.C.A. Wijngaards" <wouter@NLnetLabs.nl> Mon, 22 February 2010 13:39 UTC

Return-Path: <wouter@nlnetlabs.nl>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4A55A28C1D0 for <dnsop@core3.amsl.com>; Mon, 22 Feb 2010 05:39:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id apJjKYb15PS6 for <dnsop@core3.amsl.com>; Mon, 22 Feb 2010 05:39:23 -0800 (PST)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by core3.amsl.com (Postfix) with ESMTP id D25F828C122 for <dnsop@ietf.org>; Mon, 22 Feb 2010 05:39:22 -0800 (PST)
Received: from gary.nlnetlabs.nl (gary.nlnetlabs.nl [IPv6:2001:7b8:206:1:216:76ff:feb8:1853]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.3/8.14.3) with ESMTP id o1MDfJvO004171 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for <dnsop@ietf.org>; Mon, 22 Feb 2010 14:41:19 +0100 (CET) (envelope-from wouter@nlnetlabs.nl)
Message-ID: <4B82897F.7080000@nlnetlabs.nl>
Date: Mon, 22 Feb 2010 14:41:19 +0100
From: "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20100120 Fedora/3.0.1-1.fc11 Thunderbird/3.0.1
MIME-Version: 1.0
To: dnsop@ietf.org
References: <200904282021.n3SKL3sg051528@givry.fdupont.fr> <59A58419-FDBD-4810-B2FA-0D293FFA00A5@NLnetLabs.nl> <alpine.LFD.1.10.1001211245180.12114@newtla.xelerance.com> <1AEAE091-2EB3-41DC-A51B-8DD49C10FAD5@NLnetLabs.nl> <24C8A8E2A81760E31D4CDE4A@Ximines.local> <8E6C64ED-A336-4E8B-996F-9FB471EB07C6@NLnetLabs.nl> <4B7FE58C.5030605@ogud.com> <20100220202751.GB54720@shinkuro.com> <20100220213133.GE2477@isc.org> <4B807DC0.9050807@ogud.com> <315AD36E-879A-4512-A6A8-B64372E3D3CF@sinodun.com> <201002220022.o1M0M3qR048760@drugs.dv.isc.org> <A8EB3AAE-0DA6-4C4E-B2D1-E548884F63D5@dnss.ec> <4B8251E9.70904@nlnetlabs.nl> <699B9362-B927-4148-B79E-2AEB6D713BE8@dnss.ec>
In-Reply-To: <699B9362-B927-4148-B79E-2AEB6D713BE8@dnss.ec>
X-Enigmail-Version: 1.0.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::53]); Mon, 22 Feb 2010 14:41:19 +0100 (CET)
Subject: Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Feb 2010 13:39:24 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Roy,

On 02/22/2010 02:14 PM, Roy Arends wrote:
> Nah, we love collisions, it makes it all so more efficient. Besides,
> I think the probability of finding a bug in authoritative server
> software is way higher than a hash-collision.

Yes, I agree that it is very unlikely. (And I wouldn't mind a 2**-100
chance of bugs in my software :-) ). If there ever are multiple
NSEC3-hash-algorithm choices, the 'hash collision' resistance is a
factor.  NSEC, by virtue of its design cannot have these hash collisions
(but then it does not hash either).

>> But I agree more pertinent to choice is the increased CPU demand
>> and larger packets when using NSEC3.  And opt-out, obfuscation
>> desiderata.
> 
> All FUD.

I actually thought those were the choices, was I wrong in that
assessment?  SHA-1 hashes take time, and NSEC3 responses are larger
(mostly because you need 3 records instead of 2 for the common case and
the extra signature counts, not actually the NSEC3 itself is that much
larger).  I am not saying this makes NSEC3 a unchoosable option; but it
is a tradeoff, and if you can use NSEC because you do not need the
benefits of NSEC3, you should, because it'll drive down bandwidth and
cpu usage (slightly) for everyone.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkuCiX8ACgkQkDLqNwOhpPhXxACeMb7HH57cvczT41QMopDfiAtj
skMAoIOK83bylZ4x6VqRrB1FEoLkNvhs
=1MC1
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email