[DNSOP] draft-ietf-dnsop-nsec3-guidance: fresh iteration count stats
Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 18 October 2021 04:43 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2528E3A1152 for <dnsop@ietfa.amsl.com>; Sun, 17 Oct 2021 21:43:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z3dY0Qp8Rswi for <dnsop@ietfa.amsl.com>; Sun, 17 Oct 2021 21:43:53 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E1593A115E for <dnsop@ietf.org>; Sun, 17 Oct 2021 21:43:52 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 7676BD6BA2; Mon, 18 Oct 2021 00:43:51 -0400 (EDT)
Date: Mon, 18 Oct 2021 00:43:51 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dnsop@ietf.org
Message-ID: <YWz7h0bOD5Yw1iFH@straasha.imrryr.org>
Reply-To: dnsop@ietf.org
References: <163434063744.31980.3246351021399660138@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <163434063744.31980.3246351021399660138@ietfa.amsl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/K4rgMzBpjU56g4jLXQLKm5biiUw>
Subject: [DNSOP] draft-ietf-dnsop-nsec3-guidance: fresh iteration count stats
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Oct 2021 04:44:05 -0000
On Fri, Oct 15, 2021 at 04:30:37PM -0700, internet-drafts@ietf.org wrote: > Filename : draft-ietf-dnsop-nsec3-guidance-01.txt > > Abstract: > NSEC3 is a DNSSEC mechanism providing proof of non-existence by > promising there are no names that exist between two domainnames > within a zone. Unlike its counterpart NSEC, NSEC3 avoids directly > disclosing the bounding domainname pairs. This document provides > guidance on setting NSEC3 parameters based on recent operational > deployment experience. We were waiting for TransIP to complete the migration of their managed DNS domains from 100 iterations to 0, before collecting fresh NSEC3 iteration count deployment statistics. That has now been done, and the results are below: Zones successfully probed: 16,302,535 Zones using NSEC3: 12,460,057 76.4% (of signed zones) Zones using opt-out: 1,162,869 9.3% (of NSEC3 zones) Percentile cumulative distribution: iterations cumulative% 0 7.934956% 5 71.117973% 10 92.455026% 15 94.808563% 20 99.183358% 25 99.256617% 30 99.256745% 35 99.266753% 40 99.676831% 50 99.783324% 55 99.783508% 60 99.783532% 75 99.784263% 80 99.784295% 85 99.784664% 90 99.784913% 99 99.785017% 100 99.946999% 120 99.947151% 150 99.998403% 160 99.998411% 200 99.998571% 250 99.998628% 300 99.998652% 330 99.998756% 400 99.998828% 500 99.999655% 1600 99.999960% 2000 99.999976% 2500 100.000000% Absolute zone number per iteration count: iterations zone count 0 988700 1 6455550 2 3875 3 31803 4 188 5 1381224 6 95 7 30601 8 1461259 9 80 10 1166574 11 123 12 288651 13 81 14 8 15 4389 16 13934 17 8 18 9 19 5 20 531146 21 9002 22 6 23 19 24 88 25 13 27 1 29 1 30 14 31 4 32 79 33 1131 35 33 40 51096 42 35 50 13234 51 1 52 19 53 1 54 1 55 1 56 2 60 1 64 13 67 1 69 2 75 75 77 2 80 2 81 8 84 5 85 33 90 31 93 1 96 1 99 11 100 20183 101 1 107 17 120 1 128 6 132 1 139 1 149 27 150 6351 160 1 177 17 200 3 234 1 250 6 256 1 300 2 330 13 333 1 400 8 423 1 487 1 500 101 1024 2 1337 1 1600 35 2000 2 2500 3 -- Viktor.
- [DNSOP] I-D Action: draft-ietf-dnsop-nsec3-guidan… internet-drafts
- Re: [DNSOP] draft-ietf-dnsop-nsec3-guidance: fres… Viktor Dukhovni
- [DNSOP] draft-ietf-dnsop-nsec3-guidance: fresh it… Viktor Dukhovni
- Re: [DNSOP] draft-ietf-dnsop-nsec3-guidance: fres… Viktor Dukhovni
- Re: [DNSOP] draft-ietf-dnsop-nsec3-guidance: fres… Viktor Dukhovni