Re: [DNSOP] nsec3-parameters opinions gathered
Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 09 November 2021 17:57 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77E4C3A0ED2 for <dnsop@ietfa.amsl.com>; Tue, 9 Nov 2021 09:57:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HCBjAzZ2jM0L for <dnsop@ietfa.amsl.com>; Tue, 9 Nov 2021 09:57:46 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 119863A0EC7 for <dnsop@ietf.org>; Tue, 9 Nov 2021 09:57:45 -0800 (PST)
Received: from smtpclient.apple (unknown [192.168.1.159]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 772EFBE9BC for <dnsop@ietf.org>; Tue, 9 Nov 2021 12:57:44 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <6a13b459-c52b-02e7-9390-3345581df8d1@isc.org>
Date: Tue, 09 Nov 2021 12:57:43 -0500
Content-Transfer-Encoding: quoted-printable
Reply-To: dnsop@ietf.org
Message-Id: <C764C53B-C80B-4355-B8FA-BE62700CE76E@dukhovni.org>
References: <ybl7ddnr16f.fsf@w7.hardakers.net> <206e17b4-a920-8e3e-586d-ecc29855fae3@nic.cz> <45a10ca4-93e1-3c9c-7434-83c387d5246e@NLnetLabs.nl> <4254eece-a024-dbe4-3a64-a7ff957ce945@pletterpet.nl> <ec14099d-adfe-09ae-a06c-80cc2a1cf793@isc.org> <ybly25yojbw.fsf@w7.hardakers.net> <6a13b459-c52b-02e7-9390-3345581df8d1@isc.org>
To: dnsop@ietf.org
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Hu5uyjJL4RtLYgHH5IZKZiU20zM>
Subject: Re: [DNSOP] nsec3-parameters opinions gathered
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2021 17:57:51 -0000
> On 9 Nov 2021, at 4:11 am, Petr Špaček <pspacek@isc.org> wrote: > > I don't see need to specify _a_ value here. I think better approach is acknowledge current state of things. What about something like this? > > --- > As for November 2021, the limit of 150 iterations for treating answer as insecure is interoperable without significant problems, but at the same time it makes DoS attacks based on exhausting CPU resources three times cheaper when compared to 0 iterations. > > For this reason software vendors are expected to evaluate NSEC3 iteration counts seen in wild and lower their limits over time. > --- > > What do you think about this approach? I have no objections to setting the limits to essentially zero, but would suggest: - Authoritative servers employing NSEC3 SHOULD set the (additional) iteration count to 0. Higher values may run into interoperability problems with validating resolvers and secondary servers. - Validating resolvers MAY over time reduce the maximum NSEC3 (additional) iteration count they support to as low as 1. NSEC3 iteration counts of 0 and 1 MUST continue to be supported. The reason I'd prefer that validators allow 1 as well as zero, is that: * We're then probably looking at just ~1% performance impact (extrapolated from the posted perf numbers) * It is I think not obvious to naive operators that 0 iterations really means 0 *additional* iterations, and the initial hashing step is still performed. Thus 1 is a fairly popular setting, and I'm inclined to require that it be tolerated in validators, even if we're telling auth zone operators to use 0. All that said, after the RFC is done, we'll need to do another round of outreach to TLD zone aand customer domain hosting operators as well as independent self-hosting auth zone operators, this time to ask for a reduction to 0 (as opposed to 100 or less). I hope that won't be principally (or alone) up to me. -- Viktor.
- [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] nsec3-parameters opinions gathered Miek Gieben
- Re: [DNSOP] nsec3-parameters opinions gathered Vladimír Čunát
- Re: [DNSOP] nsec3-parameters opinions gathered Benno Overeinder
- Re: [DNSOP] nsec3-parameters opinions gathered Olafur Gudmundsson
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni
- Re: [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] nsec3-parameters opinions gathered Miek Gieben
- Re: [DNSOP] nsec3-parameters opinions gathered Matthijs Mekking
- Re: [DNSOP] nsec3-parameters opinions gathered Petr Špaček
- Re: [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] [Ext] nsec3-parameters opinions gathe… Paul Hoffman
- Re: [DNSOP] nsec3-parameters opinions gathered A. Schulze
- Re: [DNSOP] [Ext] nsec3-parameters opinions gathe… Paul Vixie
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni
- Re: [DNSOP] nsec3-parameters opinions gathered Paul Wouters
- Re: [DNSOP] nsec3-parameters opinions gathered Mark Andrews
- Re: [DNSOP] nsec3-parameters opinions gathered Petr Špaček
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni
- Re: [DNSOP] nsec3-parameters opinions gathered Petr Špaček
- Re: [DNSOP] nsec3-parameters opinions gathered Michael Bauland
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni