Re: [DNSOP] nsec3-parameters opinions gathered
Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 29 November 2021 17:01 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0F6A3A0657 for <dnsop@ietfa.amsl.com>; Mon, 29 Nov 2021 09:01:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jMFlmQxPPwuO for <dnsop@ietfa.amsl.com>; Mon, 29 Nov 2021 09:01:04 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C024F3A0CE9 for <dnsop@ietf.org>; Mon, 29 Nov 2021 09:00:50 -0800 (PST)
Received: from smtpclient.apple (unknown [192.168.1.159]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 91A2CEBEDF; Mon, 29 Nov 2021 12:00:49 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <df0717a9-fb4f-2412-7c4e-10f6213494d9@knipp.de>
Date: Mon, 29 Nov 2021 12:00:49 -0500
Cc: dnsop@ietf.org
Reply-To: dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <970DE852-172A-4F81-8FD5-029766486E32@dukhovni.org>
References: <ybl7ddnr16f.fsf@w7.hardakers.net> <206e17b4-a920-8e3e-586d-ecc29855fae3@nic.cz> <45a10ca4-93e1-3c9c-7434-83c387d5246e@NLnetLabs.nl> <4254eece-a024-dbe4-3a64-a7ff957ce945@pletterpet.nl> <ec14099d-adfe-09ae-a06c-80cc2a1cf793@isc.org> <7AB6BFF3-4AD8-4D08-8C0D-F4A5904AC277@dukhovni.org> <df0717a9-fb4f-2412-7c4e-10f6213494d9@knipp.de>
To: Michael Bauland <Michael.Bauland@knipp.de>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/JgkrzhtJTuPvb7M36HV5ZEhleig>
Subject: Re: [DNSOP] nsec3-parameters opinions gathered
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Nov 2021 17:01:09 -0000
> On 29 Nov 2021, at 7:55 am, Michael Bauland <Michael.Bauland@knipp.de> wrote: > >> The iteration count distribution for the TLDs is presently: >> # TLDs NSEC3 iterations >> ------ ---------------- >> 147 0 >> 458 1 >> 1 2 >> 14 3 >> 112 5 >> 4 8 >> 545 10 >> 29 12 >> 1 13 >> 1 15 >> 1 17 >> 6 20 >> 2 25 >> The outliers above 10 are: >> ccTLDs: bn de dk pl sg ua xn--clchc0ea0b2g2a9gcd xn--yfro4i67o >> gTLDs: alstom barcelona bauhaus bcn cat erni eurovision eus firmdale gal gdn >> gmx ifm lacaixa madrid man mango nrw quebec radio ruhr sap scot seat >> sport swiss whoswho xn--55qw42g xn--80asehdb xn--80aswg xn--mgbab2bd >> xn--zfr164b > > We see your argument and have now adjusted our configurations accordingly. All TLDs run by CORE Association and Knipp (i.e., almost all from the gTLDs list above) have now reduced their NSEC3 iteration count to 0. Nice! Thanks. Indeed I see now only 12 TLDs with more than 10 iterations: ccTLDs: bn de dk pl sg ua xn--clchc0ea0b2g2a9gcd xn--yfro4i67o gTLDs: firmdale gdn xn--55qw42g xn--zfr164b The new distribution is: 175 0 396 1 1 2 14 3 113 5 3 8 607 10 1 12 1 13 1 15 1 17 6 20 2 25 Which seems to also suggest that 62 TLDs got moved from 1 to 10. :-( Perhaps a change of platform... Having whoever manages the 607 to switch to 0 would be a good next milestone... -- Viktor.
- [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] nsec3-parameters opinions gathered Miek Gieben
- Re: [DNSOP] nsec3-parameters opinions gathered Vladimír Čunát
- Re: [DNSOP] nsec3-parameters opinions gathered Benno Overeinder
- Re: [DNSOP] nsec3-parameters opinions gathered Olafur Gudmundsson
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni
- Re: [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] nsec3-parameters opinions gathered Miek Gieben
- Re: [DNSOP] nsec3-parameters opinions gathered Matthijs Mekking
- Re: [DNSOP] nsec3-parameters opinions gathered Petr Špaček
- Re: [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] [Ext] nsec3-parameters opinions gathe… Paul Hoffman
- Re: [DNSOP] nsec3-parameters opinions gathered A. Schulze
- Re: [DNSOP] [Ext] nsec3-parameters opinions gathe… Paul Vixie
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni
- Re: [DNSOP] nsec3-parameters opinions gathered Paul Wouters
- Re: [DNSOP] nsec3-parameters opinions gathered Mark Andrews
- Re: [DNSOP] nsec3-parameters opinions gathered Petr Špaček
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni
- Re: [DNSOP] nsec3-parameters opinions gathered Petr Špaček
- Re: [DNSOP] nsec3-parameters opinions gathered Michael Bauland
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni