IETF Logo Mail Archive

Re: [DNSOP] Using NSEC3 for opt-out, was Re: Comments regarding the NSEC5

Ondřej Surý <ondrej.sury@nic.cz> Sun, 15 March 2015 20:19 UTC

Return-Path: <ondrej.sury@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B36E71A1B89 for <dnsop@ietfa.amsl.com>; Sun, 15 Mar 2015 13:19:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.36
X-Spam-Level:
X-Spam-Status: No, score=-0.36 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_CZ=0.445, HOST_EQ_CZ=0.904, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5F4KyUlGnsKj for <dnsop@ietfa.amsl.com>; Sun, 15 Mar 2015 13:19:33 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39D351A1B8A for <dnsop@ietf.org>; Sun, 15 Mar 2015 13:19:29 -0700 (PDT)
Received: from [10.10.0.215] (stechovice.eurosignal.cz [77.240.96.2]) by mail.nic.cz (Postfix) with ESMTPSA id 24DF013FA8A; Sun, 15 Mar 2015 21:19:27 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nic.cz; s=default; t=1426450767; bh=6ypmW9ZLfF8/515ATqJ8Js50SF9Qm+vsPW7wt6ocupI=; h=In-Reply-To:References:MIME-Version:Content-Type: Content-Transfer-Encoding:Subject:From:Date:To:CC:Message-ID; b=fxu42O+JrYfAHGIUN7FBUYfpXP/xRrTEuRWHWQ2sXLepxbd9/VaJkLInQIKpGCb1E NmJAEQ8VGDEPC6IOxkt7E6OQbql5SBPB6bbWtZvF/yY09ywpID8lOTo+xusOtSspyc WMGX1BDVEbSrqpyQGbcmT7dWfi1TP25I94LWvovM=
User-Agent: K-9 Mail for Android
In-Reply-To: <7D2937A2-D91B-4EAB-A3E4-EF9576A5CCC6@frobbit.se>
References: <D126F949.9B95%edward.lewis@icann.org> <1085336065.26227.1426437027452.JavaMail.zimbra@nic.cz> <7D2937A2-D91B-4EAB-A3E4-EF9576A5CCC6@frobbit.se>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----W88QAR30RSNN7EKMXDGYTKF9UPLV96"
Content-Transfer-Encoding: 8bit
From: Ondřej Surý <ondrej.sury@nic.cz>
Date: Sun, 15 Mar 2015 21:19:26 +0100
To: Patrik Fältström <paf@frobbit.se>
Message-ID: <7988690F-B843-4729-BA78-F9454E4437F1@nic.cz>
X-Virus-Scanned: clamav-milter 0.98.6 at mail
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/J3xqw-llniexesDAmR-LS_zPeNU>
Cc: Edward Lewis <edward.lewis@icann.org>, dnsop@ietf.org
Subject: Re: [DNSOP] Using NSEC3 for opt-out, was Re: Comments regarding the NSEC5
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Mar 2015 20:19:34 -0000

This is really vague memory of it, but the main problem was that NSEC enumeration with public whois allowed data scraping. 

Thus whois rate limiting, implementation of "hide-this" flags and NSEC3 was deployed to prevent majority of it. Some limits were also implemented in the registry to prevent cross-registrar data digging via EPP. 

O. 

On March 15, 2015 7:36:19 PM GMT+01:00, "Patrik Fältström" <paf@frobbit.se> wrote:
>
>> On 15 mar 2015, at 17:30, Ondřej Surý <ondrej.sury@nic.cz> wrote:
>> 
>> JFTR .cz was asked by "The Office for Personal Data Protection" to
>implement measures to protect the personal data for domain holders. 
>NSEC3 was part of the solution.
>
>Can you explain more how that was part of the solution?
>
>   Patrik

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

v2.23.0 | Report a Bug | By Email