[DNSOP] Discussions of NSEC5

"Paul Hoffman" <paul.hoffman@vpnc.org> Tue, 28 March 2017 18:29 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id A11CC129438 for <dnsop@ietfa.amsl.com>; Tue, 28 Mar 2017 11:29:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id xWbpXMv9nGw2 for <dnsop@ietfa.amsl.com>; Tue, 28 Mar 2017 11:29:10 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DE181297CF for <dnsop@ietf.org>; Tue, 28 Mar 2017 11:29:02 -0700 (PDT)
Received: from [] (dhcp-80bd.meeting.ietf.org []) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id v2SISm5W057785 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <dnsop@ietf.org>; Tue, 28 Mar 2017 11:28:49 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host dhcp-80bd.meeting.ietf.org [] claimed to be []
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: dnsop WG <dnsop@ietf.org>
Date: Tue, 28 Mar 2017 13:28:58 -0500
Message-ID: <230235C0-8033-4D62-9FD2-DE366C7EA368@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.6r5347)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/AfJ8rmmSXhgWza1fg8YzIfGZChk>
Subject: [DNSOP] Discussions of NSEC5
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2017 18:29:13 -0000

During the mic discussions of NSEC5 yesterday, some speakers conflated a 
few things.

- NSEC3 with a good dictionary allows a fair amount of zone enumeration, 
but NSEC3 White Lies does not. Sharon did a good job of differentiating 
this in her slides, but people talking about the need for NSEC5 did not.

- White Lies can be done with NSEC, not just with NSEC3. RFC 7129 calls 
these "minimally covering NSEC records". I would think that doing NSEC 
White Lies would require less CPU than doing NSEC3 White Lies (but I 
haven't done the work to be sure).

When saying why one prefers NSEC5 over the current solutions, it is good 
to be specific which of the current solutions we are talking about.

--Paul Hoffman