Re: [DNSOP] nsec3-parameters opinions gathered

Petr Špaček <pspacek@isc.org> Tue, 09 November 2021 18:14 UTC

Return-Path: <pspacek@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 215AE3A0C94 for <dnsop@ietfa.amsl.com>; Tue, 9 Nov 2021 10:14:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.449
X-Spam-Level:
X-Spam-Status: No, score=-5.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-3.33, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=MHw7Qajp; dkim=pass (1024-bit key) header.d=isc.org header.b=Kwv4k2Xo
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0QEWzLNk_F0i for <dnsop@ietfa.amsl.com>; Tue, 9 Nov 2021 10:14:49 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 879703A0CFF for <dnsop@ietf.org>; Tue, 9 Nov 2021 10:14:49 -0800 (PST)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id F1CBF4350E5 for <dnsop@ietf.org>; Tue, 9 Nov 2021 18:14:47 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1636481688; bh=mRFLB5ZqLkUC04EtmG0xx18IHiui7NGJXJLVhbNwipI=; h=Date:From:Subject:To:References:In-Reply-To; b=MHw7QajpusDrnKltYoxrApHMY7rU5iV6bLxSXtkSJHTW/P8GUPTi4Uftpb37wVWzP sfIy0Dhqgg/nf3eTLK83qz/9BATKGY00CYWwT1CZD+BKzeNuOjuFtSlt9CJSE2IKgz h29m05QmUjUzO6Je0Sufx3yGmf6j7mIqMbaxF4Ag=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id EA433F0866D for <dnsop@ietf.org>; Tue, 9 Nov 2021 18:14:47 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id C1BD8F0866F for <dnsop@ietf.org>; Tue, 9 Nov 2021 18:14:47 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org C1BD8F0866F
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1636481687; bh=B2bv3BB4tbhNmGBgPYSpCgjlP4sui93kvtWdQiOUV9w=; h=Message-ID:Date:MIME-Version:From:To; b=Kwv4k2Xo6DJ1jEaR6xYbdi8m/BKUlgdwXY5TH63NdjfvNF35X1yXwv/hF1xc+ZLx1 2MuiPUekdGOyLKl1r1gEPoFjYSiCZZmBoXIIVi1JoqbTIF3pU/axtFNfJNjrvYkN56 YAjqcohhClBmx9/yXr9ZZNs7lvq3j/rPyjFV2Y+Y=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id VfrL0JKBJmpO for <dnsop@ietf.org>; Tue, 9 Nov 2021 18:14:47 +0000 (UTC)
Received: from [192.168.0.157] (ip-86-49-254-49.net.upcbroadband.cz [86.49.254.49]) by zimbrang.isc.org (Postfix) with ESMTPSA id 54EB9F0866D for <dnsop@ietf.org>; Tue, 9 Nov 2021 18:14:47 +0000 (UTC)
Message-ID: <6b361b0c-67ac-0a67-80a6-7627a15f98fb@isc.org>
Date: Tue, 09 Nov 2021 19:14:44 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.3.0
From: Petr Špaček <pspacek@isc.org>
To: dnsop@ietf.org
References: <ybl7ddnr16f.fsf@w7.hardakers.net> <206e17b4-a920-8e3e-586d-ecc29855fae3@nic.cz> <45a10ca4-93e1-3c9c-7434-83c387d5246e@NLnetLabs.nl> <4254eece-a024-dbe4-3a64-a7ff957ce945@pletterpet.nl> <ec14099d-adfe-09ae-a06c-80cc2a1cf793@isc.org> <ybly25yojbw.fsf@w7.hardakers.net> <6a13b459-c52b-02e7-9390-3345581df8d1@isc.org> <C764C53B-C80B-4355-B8FA-BE62700CE76E@dukhovni.org>
Content-Language: en-US
In-Reply-To: <C764C53B-C80B-4355-B8FA-BE62700CE76E@dukhovni.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/EeoIjwYVhhpOUus1sna21aQgCho>
Subject: Re: [DNSOP] nsec3-parameters opinions gathered
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2021 18:14:54 -0000

On 09. 11. 21 18:57, Viktor Dukhovni wrote
>> On 9 Nov 2021, at 4:11 am, Petr Špaček <pspacek@isc.org> wrote:
>>
>> I don't see need to specify _a_ value here. I think better approach is acknowledge current state of things. What about something like this?
>>
>> ---
>> As for November 2021, the limit of 150 iterations for treating answer as insecure is interoperable without significant problems, but at the same time it makes DoS attacks based on exhausting CPU resources three times cheaper when compared to 0 iterations.
>>
>> For this reason software vendors are expected to evaluate NSEC3 iteration counts seen in wild and lower their limits over time.
>> ---
>>
>> What do you think about this approach?
> 
> I have no objections to setting the limits to essentially zero, but would suggest:
> 
>    - Authoritative servers employing NSEC3 SHOULD set the (additional)
>      iteration count to 0.  Higher values may run into interoperability
>      problems with validating resolvers and secondary servers.
> 
>    - Validating resolvers MAY over time reduce the maximum NSEC3
>      (additional) iteration count they support to as low as 1.
>      NSEC3 iteration counts of 0 and 1 MUST continue to be supported.
> 
> The reason I'd prefer that validators allow 1 as well as zero, is that:
> 
> * We're then probably looking at just ~1% performance impact
>    (extrapolated from the posted perf numbers)
> 
> * It is I think not obvious to naive operators that 0 iterations really
>    means 0 *additional* iterations, and the initial hashing step is still
>    performed.  Thus 1 is a fairly popular setting, and I'm inclined to
>    require that it be tolerated in validators, even if we're telling
>    auth zone operators to use 0.

Agreed, 1 is probably what we will have to live with in spec for validators.

> All that said, after the RFC is done, we'll need to do another round
> of outreach to TLD zone aand customer domain hosting operators as well
> as independent self-hosting auth zone operators, this time to ask for
> a reduction to 0 (as opposed to 100 or less).  I hope that won't be
> principally (or alone) up to me.

+1

Petr Špaček