IETF Logo Mail Archive

Re: [DNSOP] Comments regarding the NSEC5

Jan Včelák <jan.vcelak@nic.cz> Mon, 16 March 2015 09:56 UTC

Return-Path: <jan.vcelak@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C851D1A86E6 for <dnsop@ietfa.amsl.com>; Mon, 16 Mar 2015 02:56:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.538
X-Spam-Level: *
X-Spam-Status: No, score=1.538 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_CZ=0.445, HOST_EQ_CZ=0.904, MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CzB_5oElWIBh for <dnsop@ietfa.amsl.com>; Mon, 16 Mar 2015 02:56:17 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 238D71A86E0 for <dnsop@ietf.org>; Mon, 16 Mar 2015 02:56:16 -0700 (PDT)
Received: from pc-cznic4.localnet (unknown [IPv6:2001:67c:1220:80c:2a92:4aff:feca:f18d]) by mail.nic.cz (Postfix) with ESMTPSA id 1BE8613FF16; Mon, 16 Mar 2015 10:56:14 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nic.cz; s=default; t=1426499774; bh=KXi9Zn61kB+Yrb+wUScjD3BpDYTHnYY3YfnXZPUdo2I=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Transfer-Encoding:Content-Type; b=FlMkBsVTtvOKs9ZoanvR+LS4fYkKxECa2JSrELn0Jsl1npaFl1ESizwuxOIBHG87S Gwf3O3/UVkj/rjqfdvjumccmCau67MkbhcLihG7OxvgNZEeNqgvJr9XdN3VDpbyaNy XkABxdX3lD7uKTVNFU74WfA+UC+Xrg4yEzrcUnEs=
From: Jan Včelák <jan.vcelak@nic.cz>
To: dnsop@ietf.org
Date: Mon, 16 Mar 2015 10:56:13 +0100
Message-ID: <16230113.HBcX0lRyl8@pc-cznic4>
Organization: CZ.NIC Labs
User-Agent: KMail/4.14.4 (Linux/4.0.0-0.rc2.git0.1.fc22.x86_64; KDE/4.14.6; x86_64; ; )
In-Reply-To: <55017AE5.3080103@redhat.com>
References: <55002098.5060709@redhat.com> <5418135.fhyjAyNSf0@pc-cznic4> <55017AE5.3080103@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"
X-Virus-Scanned: clamav-milter 0.98.6 at mail
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/GycKRSOeU5HNq6tvERZQk0c0b_4>
Cc: Florian Weimer <fweimer@redhat.com>, Nicholas Weaver <nweaver@icsi.berkeley.edu>
Subject: Re: [DNSOP] Comments regarding the NSEC5
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2015 09:56:19 -0000

On Thursday, March 12, 2015 12:39:17 PM Florian Weimer wrote:
> On 03/12/2015 11:36 AM, Jan Včelák wrote:
> >> And does anyone actually use opt out with NSEC3?
> > 
> > Yes, .com for example. My impression was that Opt-Out was the selling
> > point of NSEC3, not the domain name hashing.
> 
> Okay.  Are they interested in switching to NSEC5?

I was trying to say that TLDs use NSEC3 because of Opt-Out. This seems to be 
true, based on the information Edward sent in the "Using NSEC3 for opt-out" 
thread.

The target audience for NSEC5 are people, who care about the zone enumeration. 
They could be using Minimally Covering NSEC Records or NSEC3 White Lies at the 
moment. Both of these mechanisms already require on-line signing and private 
zone signing keys on all authoritative servers. NSEC5 just removes the 
necessity to have keys on the servers.

Jan

v2.23.0 | Report a Bug | By Email