IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-terminology-02.txt

John Dickinson <jad@sinodun.com> Tue, 16 June 2015 10:33 UTC

Return-Path: <jad@sinodun.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15A651B2B3D for <dnsop@ietfa.amsl.com>; Tue, 16 Jun 2015 03:33:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.599
X-Spam-Level:
X-Spam-Status: No, score=0.599 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, J_CHICKENPOX_45=0.6, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oM5X8AmMEenD for <dnsop@ietfa.amsl.com>; Tue, 16 Jun 2015 03:33:15 -0700 (PDT)
Received: from shcp01.hosting.zen.net.uk (shcp01.hosting.zen.net.uk [88.98.24.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C6E21B2AFB for <dnsop@ietf.org>; Tue, 16 Jun 2015 03:33:15 -0700 (PDT)
Received: from [62.232.251.194] (port=6705 helo=jads-MacBook-Air.local) by shcp01.hosting.zen.net.uk with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from <jad@sinodun.com>) id 1Z4oB3-0002sa-SI for dnsop@ietf.org; Tue, 16 Jun 2015 11:33:12 +0100
Message-ID: <557FFB66.5020404@sinodun.com>
Date: Tue, 16 Jun 2015 11:33:10 +0100
From: John Dickinson <jad@sinodun.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: dnsop@ietf.org
References: <20150526153132.306.56516.idtracker@ietfa.amsl.com> <75E0FCDF-615C-4F54-8503-9F821C38B0D5@hopcount.ca> <D1C3C284-0B5E-4CF9-8FF5-F150E814DB8A@vpnc.org> <623EF081-ECDD-4A50-B392-CAE7E8A5B15A@hopcount.ca> <3647CB99-77E0-44AD-A7D5-C2E457552D72@vpnc.org>
In-Reply-To: <3647CB99-77E0-44AD-A7D5-C2E457552D72@vpnc.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - shcp01.hosting.zen.net.uk
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - sinodun.com
X-Get-Message-Sender-Via: shcp01.hosting.zen.net.uk: authenticated_id: jad@sinodun.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/FnA1IREk6c-ky8iTFH2KHwx3Uv8>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-terminology-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jun 2015 10:33:17 -0000


On 15/06/2015 22:35, Paul Hoffman wrote:
>>>> "NSEC3": whether not NSEC3 is "quite different" from NSEC depends on your context. Functionally, in the narrow sense of "allows verifiable denial of existence", they are identical. I think it would be clearer to focus on their functional similarities, and point out the additional features of NSEC3 (opt-out and making zone enumeration harder), observing that any particular signed zone must use exactly one of these, not both (so, they are alternatives, and one of them is required).
>>> Disagree. Even in the "allows verifiable denial of existence", they are quite different in that the processing needed is very different. The "fundamental similarities" are only in what is achieve, not in the way of achieving it.
>> Perhaps we could agree on some text that confirms that they are functionally similar, whilst having quite different approaches to achieving that functionality? That seems like it would be better than declaring them to be "quite different".
> The current text says:
> NSEC3:
> : The NSEC3 resource record is quite different than the NSEC resource record.
> Like the NSEC record, the NSEC3 record also provides authenticated denial of existence; however,
> NSEC3 records mitigates against zone enumeration and support Opt-Out.
> NSEC3 resource records are defined in {{RFC5155}}.
>
> I think the second sentence says what you want, and the first sentence is factually correct in the that the records themselves really are different.
>
I dislike the current text especially "is quite different than the NSEC 
resource record"

NSEC3: An alternative to NSEC. The NSEC3 RR allows verifiable denial of 
existence. However, is allows the zone signer to "Opt-out" and not 
create an NSEC3 RR at insecure (no DS) delegations. This has the 
advantage of allowing the zone size to scale gracefully with the 
increase in signed delegations. This is especially useful for operators 
of large delegation centric zones. In addition, NSEC3 uses hashed owner 
names in order to make zone enumeration approximately as hard as it 
would be in an unsigned zone.

This make me think that the document should define owner name and 
possibly the NSEC3PARAM RR.

regards
John

v2.23.0 | Report a Bug | By Email