Re: [DNSOP] Updated NSEC5 protocol spec and paper
Dave Lawrence <tale@dd.org> Fri, 10 March 2017 20:38 UTC
Return-Path: <tale@dd.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A1821294DA for <dnsop@ietfa.amsl.com>; Fri, 10 Mar 2017 12:38:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M99uIf0OAMPB for <dnsop@ietfa.amsl.com>; Fri, 10 Mar 2017 12:38:53 -0800 (PST)
Received: from gro.dd.org (gro.dd.org [207.136.192.136]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E6791294D0 for <dnsop@ietf.org>; Fri, 10 Mar 2017 12:38:53 -0800 (PST)
Received: by gro.dd.org (Postfix, from userid 102) id 0EBE03F469; Fri, 10 Mar 2017 15:38:52 -0500 (EST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <22723.3803.952649.43175@gro.dd.org>
Date: Fri, 10 Mar 2017 15:38:51 -0500
From: Dave Lawrence <tale@dd.org>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
In-Reply-To: <CFBF172D-FDD7-4DE1-B5C5-7C76A7792549@vpnc.org>
References: <CAHPuVdXTcSaVcN6fBbPy3e=PgRvg8=GemSN_YFhzX387x8YW-A@mail.gmail.com> <CFBF172D-FDD7-4DE1-B5C5-7C76A7792549@vpnc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/5FydA1wyrBvaB0DJqMfRY7duvAQ>
Subject: Re: [DNSOP] Updated NSEC5 protocol spec and paper
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Mar 2017 20:38:55 -0000
Paul Hoffman writes: > Is there a community of zone admins who want this so much that they > won't start signing until it exists? I think that question is a little extreme and need not go that far to determine whether something is worthwhile to pursue. My interest in NSEC5 is largely around the significant performance gains it has over NSEC3-WhiteLies, with double the throughout reported in "Can NSEC5 be Practical for DNSSEC Deployments" <https://eprint.iacr.org/2017/099.pdf>. We have a large number of zones that are not yet signed, and a non-trivial part of that is because of performance. NSEC5 has an impact in addressing that issue. Professionally, I'm somewhat less concerned about the enumeration issue because the at least some of the zones where I want to use it have highly structured names anyway. Enumerating them is trivial even in plain old non-DNSSEC DNS. In the other, less-structured zones that we already sign we use classic NSEC3 and are considering going to NSEC3-WL on behalf of customers that do care about it. We have online ksks for other features required of these zones. On a personal level I appreciate that this proposal enhances ksk security while addressing the enumeration problem.
- [DNSOP] Updated NSEC5 protocol spec and paper Shumon Huque
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Phillip Hallam-Baker
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Dave Lawrence
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Paul Hoffman
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Paul Wouters
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Phillip Hallam-Baker
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Roy Arends
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Phillip Hallam-Baker
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Phillip Hallam-Baker
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Tim Wicinski
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Roy Arends
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Woodworth, John R
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Evan Hunt
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Warren Kumari
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Shumon Huque
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Frederico A C Neves
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Phillip Hallam-Baker
- [DNSOP] Opt-in, zone enumeration and dnsext histo… Jim Reid
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Jim Reid
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Dave Lawrence
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Paul Hoffman
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Ralf Weber