IETF Logo Mail Archive

Re: [DNSOP] Using NSEC3 for opt-out, was Re: Comments regarding the NSEC5

Patrik Fältström <paf@frobbit.se> Mon, 16 March 2015 01:44 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 485971A1EF7 for <dnsop@ietfa.amsl.com>; Sun, 15 Mar 2015 18:44:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.261
X-Spam-Level:
X-Spam-Status: No, score=-1.261 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4swGFYrCUBg0 for <dnsop@ietfa.amsl.com>; Sun, 15 Mar 2015 18:44:35 -0700 (PDT)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DCD41A1EF3 for <dnsop@ietf.org>; Sun, 15 Mar 2015 18:44:34 -0700 (PDT)
Received: from vpn-client-208.netnod.se (vpn-client-208.netnod.se [192.71.80.208]) by mail.frobbit.se (Postfix) with ESMTPSA id 35A4B1FD61; Mon, 16 Mar 2015 02:44:30 +0100 (CET)
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_3FA1C552-4A6A-43ED-BE37-51D584262C46"; protocol="application/pgp-signature"; micalg="pgp-sha1"
X-Pgp-Agent: GPGMail 2.5b5
From: Patrik Fältström <paf@frobbit.se>
In-Reply-To: <7988690F-B843-4729-BA78-F9454E4437F1@nic.cz>
Date: Mon, 16 Mar 2015 02:44:28 +0100
Message-Id: <55A56B55-A895-4F41-A582-C7DA536306C2@frobbit.se>
References: <D126F949.9B95%edward.lewis@icann.org> <1085336065.26227.1426437027452.JavaMail.zimbra@nic.cz> <7D2937A2-D91B-4EAB-A3E4-EF9576A5CCC6@frobbit.se> <7988690F-B843-4729-BA78-F9454E4437F1@nic.cz>
To: Ondřej Surý <ondrej.sury@nic.cz>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/DlNF9EqQyBvrqLNz3xzYfZv1zp0>
Cc: Edward Lewis <edward.lewis@icann.org>, dnsop@ietf.org
Subject: Re: [DNSOP] Using NSEC3 for opt-out, was Re: Comments regarding the NSEC5
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2015 01:44:36 -0000

> On 15 mar 2015, at 21:19, Ondřej Surý <ondrej.sury@nic.cz> wrote:
> 
> This is really vague memory of it, but the main problem was that NSEC enumeration with public whois allowed data scraping.

Ok, but the real problem was then that all registered domain names where also delegated? Together with all data existing in Whois?

Not really DNSSEC related.

> Thus whois rate limiting, implementation of "hide-this" flags and NSEC3 was deployed to prevent majority of it. Some limits were also implemented in the registry to prevent cross-registrar data digging via EPP.

Ok.

   paf

v2.23.0 | Report a Bug | By Email