IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-terminology-02.txt

Paul Hoffman <paul.hoffman@vpnc.org> Wed, 17 June 2015 23:38 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 147E41B2E58 for <dnsop@ietfa.amsl.com>; Wed, 17 Jun 2015 16:38:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.353
X-Spam-Level: *
X-Spam-Status: No, score=1.353 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6XcrJIuMneZh for <dnsop@ietfa.amsl.com>; Wed, 17 Jun 2015 16:38:38 -0700 (PDT)
Received: from proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1754C1B2E59 for <dnsop@ietf.org>; Wed, 17 Jun 2015 16:38:38 -0700 (PDT)
Received: from [10.20.30.101] (142-254-17-100.dsl.dynamic.fusionbroadband.com [142.254.17.100]) (authenticated bits=0) by proper.com (8.15.1/8.14.9) with ESMTPSA id t5HNcaUi025498 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 17 Jun 2015 16:38:37 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host 142-254-17-100.dsl.dynamic.fusionbroadband.com [142.254.17.100] claimed to be [10.20.30.101]
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <557FFB66.5020404@sinodun.com>
Date: Wed, 17 Jun 2015 16:38:34 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <FBC7A7CF-B10B-4B6F-87BD-4E85D0BCB5A2@vpnc.org>
References: <20150526153132.306.56516.idtracker@ietfa.amsl.com> <75E0FCDF-615C-4F54-8503-9F821C38B0D5@hopcount.ca> <D1C3C284-0B5E-4CF9-8FF5-F150E814DB8A@vpnc.org> <623EF081-ECDD-4A50-B392-CAE7E8A5B15A@hopcount.ca> <3647CB99-77E0-44AD-A7D5-C2E457552D72@vpnc.org> <557FFB66.5020404@sinodun.com>
To: John Dickinson <jad@sinodun.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/Px7nvwLwsQHA8vGIqZBZ7qc1q-M>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-terminology-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2015 23:38:39 -0000

On Jun 16, 2015, at 3:33 AM, John Dickinson <jad@sinodun.com> wrote:
> 
> 
> 
> On 15/06/2015 22:35, Paul Hoffman wrote:
>>>>> "NSEC3": whether not NSEC3 is "quite different" from NSEC depends on your context. Functionally, in the narrow sense of "allows verifiable denial of existence", they are identical. I think it would be clearer to focus on their functional similarities, and point out the additional features of NSEC3 (opt-out and making zone enumeration harder), observing that any particular signed zone must use exactly one of these, not both (so, they are alternatives, and one of them is required).
>>>> Disagree. Even in the "allows verifiable denial of existence", they are quite different in that the processing needed is very different. The "fundamental similarities" are only in what is achieve, not in the way of achieving it.
>>> Perhaps we could agree on some text that confirms that they are functionally similar, whilst having quite different approaches to achieving that functionality? That seems like it would be better than declaring them to be "quite different".
>> The current text says:
>> NSEC3:
>> : The NSEC3 resource record is quite different than the NSEC resource record.
>> Like the NSEC record, the NSEC3 record also provides authenticated denial of existence; however,
>> NSEC3 records mitigates against zone enumeration and support Opt-Out.
>> NSEC3 resource records are defined in {{RFC5155}}.
>> 
>> I think the second sentence says what you want, and the first sentence is factually correct in the that the records themselves really are different.
>> 
> I dislike the current text especially "is quite different than the NSEC resource record"

OK, I'm hearing that we should remove that phrase. But, as someone who thought that the NSEC3 record would look like the NSEC record because versioning, I assure you that they really are quite different. :-)

> 
> NSEC3: An alternative to NSEC. The NSEC3 RR allows verifiable denial of existence. However, is allows the zone signer to "Opt-out" and not create an NSEC3 RR at insecure (no DS) delegations. This has the advantage of allowing the zone size to scale gracefully with the increase in signed delegations. This is especially useful for operators of large delegation centric zones. In addition, NSEC3 uses hashed owner names in order to make zone enumeration approximately as hard as it would be in an unsigned zone.

I'm hesitant to list "advantages", particularly ones that are only true for some kinds of zones.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email