Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.
Alex Bligh <alex@alex.org.uk> Fri, 22 January 2010 20:31 UTC
Return-Path: <alex@alex.org.uk>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AFFE23A6944 for <dnsop@core3.amsl.com>; Fri, 22 Jan 2010 12:31:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9qgQ46bIvi5d for <dnsop@core3.amsl.com>; Fri, 22 Jan 2010 12:31:19 -0800 (PST)
Received: from mail.avalus.com (mail.avalus.com [89.16.176.221]) by core3.amsl.com (Postfix) with ESMTP id 329603A6837 for <dnsop@ietf.org>; Fri, 22 Jan 2010 12:31:18 -0800 (PST)
Received: from [192.168.100.124] (87-194-71-186.bethere.co.uk [87.194.71.186]) by mail.avalus.com (Postfix) with ESMTPSA id 91018C563AD; Fri, 22 Jan 2010 20:31:13 +0000 (GMT)
Date: Fri, 22 Jan 2010 20:31:12 +0000
From: Alex Bligh <alex@alex.org.uk>
To: Paul Wouters <paul@xelerance.com>
Message-ID: <D6C3D7B5FE44C580F05A1673@nimrod.local>
In-Reply-To: <alpine.LFD.1.10.1001221446090.24208@newtla.xelerance.com>
References: <200904282021.n3SKL3sg051528@givry.fdupont.fr> <59A58419-FDBD-4810-B2FA-0D293FFA00A5@NLnetLabs.nl> <alpine.LFD.1.10.1001211245180.12114@newtla.xelerance.com> <1AEAE091-2EB3-41DC-A51B-8DD49C10FAD5@NLnetLabs.nl> <24C8A8E2A81760E31D4CDE4A@Ximines.local> <alpine.LFD.1.10.1001221446090.24208@newtla.xelerance.com>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: dnsop WG <dnsop@ietf.org>, Alex Bligh <alex@alex.org.uk>
Subject: Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Alex Bligh <alex@alex.org.uk>
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2010 20:31:20 -0000
Paul, --On 22 January 2010 14:51:38 -0500 Paul Wouters <paul@xelerance.com> wrote: >>> the NSEC3 RR chain. Therefor, Opt-Out should be avoided if possible. >> >> 1. Therefor*e* >> >> 2. I don't think the last sentence follows from the foregoing, in that >> this behaviour is desirable for the zone operator! (I know what >> you mean). >> >> 3. Aside from that, I don't think an injunction to avoid Opt-Out in >> these terms is sensible in a delegation only zone. In such a zone, >> I don't really see the additional security risk from opt out across >> insecure delegations, given if a spoof can be done, it can be >> done at the delegated zone level. > > If I secure example.org, and .org is signed, OPT-OUT might cause a spoofed > exemple.org to not be caught by the user's validating resolver. Therefor, > I do think opt-out should be avoided when possible. If I run .org, which is signed, but example.org is NOT signed (i.e. is an unsigned delegation), there seems to be little reason to avoid opt out across it. Whilst it might be harder to spoof the absence or existence of the delegation, I can still spoof the contents (or absence of contents) in example.org. So, whilst opt-out should be avoided across intervals containing secure delegations, I see no reason to avoid it across intervals that don't contain secure delegations. >> There are considerable operational >> advantages in Opt Out (zone size, cryptographic complexity etc.) > > I understand zone size, though I don't understand "cryptographic > complexity". > Having different "security values" attached to data within the same zone > seems > more complex to me, not less complex? I meant computational resource requirements resultant from crypto operations, not algorithmic complexity. The owner names in NSEC3 RRs are cryptographic hashes of the original owner name. Assume you have a delegation only zone consisting of sparse secure delegations amongst many insecure delegations. If you are using NSEC3 at all, using opt-out substantially reduces the number of NSEC3 records (since many insecure delegations will cluster together within the opt-out interval) and thus the length of the NSEC3 chain, and hence reduce the number of cryptographic hash calculations. Similarly the zone itself is smaller, so less work to sign. The situation is exacerbated where the insecure delegations are volatile. It might be worth mentioning (but is perhaps blindingly obvious) that NSEC3 is substantially more complex in terms of implementation than NSEC. Whilst one can by visual inspection spot the odd problem with a small zone's NSEC chain, it's far harder with NSEC3. Obviously, if a tool chain is used to NSECify and sign the zone, that's a problem for the implementor rather than the operator. -- Alex Bligh
- [DNSOP] I-D Action:draft-ietf-dnsop-rfc4641bis-01… Internet-Drafts
- Re: [DNSOP] I-D Action:draft-ietf-dnsop-rfc4641bi… Shane Kerr
- Re: [DNSOP] I-D Action:draft-ietf-dnsop-rfc4641bi… Edward Lewis
- Re: [DNSOP] I-D Action:draft-ietf-dnsop-rfc4641bi… Florian Weimer
- [DNSOP] HSMs was Re: I-D Action:draft-ietf-dnsop-… Edward Lewis
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Stephane Bortzmeyer
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Edward Lewis
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Andrew Sullivan
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Shane Kerr
- [DNSOP] Key sizes was Re: I-D Action:draft-ietf-d… Paul Hoffman
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Edward Lewis
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Edward Lewis
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Hoffman
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Paul Wouters
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Paul Wouters
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Andrew Sullivan
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Shane Kerr
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Shane Kerr
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Edward Lewis
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Edward Lewis
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Hoffman
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Wouters
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Paul Wouters
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Shane Kerr
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Chris Thompson
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Hoffman
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Wouters
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Shane Kerr
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Wouters
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Hoffman
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Jelte Jansen
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Evan Hunt
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Edward Lewis
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Wouters
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Wouters
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Joe Abley
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Hoffman
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Joe Abley
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Hoffman
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Joe Abley
- Re: [DNSOP] Key sizes bmanning
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Hoffman
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Wouters
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Ted Lemon
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Joe Abley
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Peter Koch
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Edward Lewis
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Joe Abley
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Edward Lewis
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Paul Hoffman
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Francis Dupont
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Olaf Kolkman
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Richard Lamb
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Paul Wouters
- [DNSOP] rfc4641bis: NSEC vs NSEC3. Olaf Kolkman
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Mark Andrews
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Olaf Kolkman
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Alex Bligh
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Alex Bligh
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Paul Wouters
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Alex Bligh
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Edward Lewis
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Alex Bligh
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Paul Wouters
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Alex Bligh
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Alex Bligh
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Olafur Gudmundsson
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Alex Bligh
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Matt Larson
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. bmanning
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Olaf Kolkman
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Paul Wouters
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Olaf Kolkman
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Paul Wouters
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. W.C.A. Wijngaards
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Alex Bligh
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Olafur Gudmundsson
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Alex Bligh
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Paul Wouters
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Andrew Sullivan
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Evan Hunt
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Olafur Gudmundsson
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Todd Glassey
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. John Dickinson
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Mark Andrews
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Roy Arends
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Eric Rescorla
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. W.C.A. Wijngaards
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Roy Arends
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Roy Arends
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. W.C.A. Wijngaards
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Roy Arends
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Alex Bligh
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Evan Hunt
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Matt Larson
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Edward Lewis
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Roy Arends
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Eric Rescorla
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Evan Hunt
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Todd Glassey
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Eric Rescorla
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Andrew Sullivan
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Alex Bligh
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Evan Hunt
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Eric Rescorla
- [DNSOP] threads having "jumped the shark" was Re:… Edward Lewis
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Jakob Schlyter
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Mark Andrews
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Mark Andrews
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Doug Barton
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Mark Andrews
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Mark Andrews
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Eric Rescorla
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Andrew Sullivan
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Roy Arends
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Roy Arends
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Mark Andrews
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Alex Bligh
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Doug Barton
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Florian Weimer
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Florian Weimer
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Olaf Kolkman
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Todd Glassey
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Paul Wouters
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Nicholas Weaver
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Paul Wouters
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Paul Wouters
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Paul Wouters
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Evan Hunt
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Roy Arends
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Roy Arends
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Doug Barton
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Paul Wouters
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Doug Barton