Re: [DNSOP] for dnsop consideration: draft-hardaker-dnsop-nsec3-guidance-02.txt
Brian Dickson <brian.peter.dickson@gmail.com> Fri, 12 March 2021 04:01 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FD853A11BD for <dnsop@ietfa.amsl.com>; Thu, 11 Mar 2021 20:01:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KV3hVeN4FFPS for <dnsop@ietfa.amsl.com>; Thu, 11 Mar 2021 20:01:28 -0800 (PST)
Received: from mail-ua1-x930.google.com (mail-ua1-x930.google.com [IPv6:2607:f8b0:4864:20::930]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 415A33A11CB for <dnsop@ietf.org>; Thu, 11 Mar 2021 20:01:28 -0800 (PST)
Received: by mail-ua1-x930.google.com with SMTP id v11so1324948uao.0 for <dnsop@ietf.org>; Thu, 11 Mar 2021 20:01:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=b6Q1e3s0TzCzcEOrwGg+UzmS7GX7xvP8DVBrKuA7cDE=; b=dPmsOE3QM6MLExsL7GRe80ZjKEYCncWRLuSMrwvhLgFehcR3kf6ogOZbeCD4rHDAwy S3QJZa4r4OOWAS+eqsmRt7A1VArH1HuDOCNVv9ZN3TasOU/R0/ydyBrFkgiAkdyeTbTs ho+XSNG31ILHoksA3ELXfIwi3j7o2eNmkLDOdCb8bhwct/2UD51VUxdzFCOhbCiiw8Yl h108cPRywPic+HLu2ZGTfHabbTyOTrIbf6dDvCA7CN8UhP7mdd7t9wAYBJKwVj+Kr1eB qb5Ud0L5sC1w5kzwUD+6tz/OBJ50gHyT1i74S8nCK8LjFcUfnq1hgmNj2wRrtPBOJWus qDMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=b6Q1e3s0TzCzcEOrwGg+UzmS7GX7xvP8DVBrKuA7cDE=; b=rIQn4wGQSbpvL0N86DFMbEF2dDOAD9rWGWShmnzKCyGEcnacaxUUOV2YDABT34T0ny RXgYfjMfM43YDVW5W/FU2bgxonK6FZ9jc4s8p8CD0NSu4wzUp6L+iKtSLPuw9vCtanDq M/9MeimZZQ8Kdexwql9g2Y+oFsA49vL2tj9HOYC9PDqKHZXLQvJWWyz0rzGiTEM+ixSh Fg3Me0KBVGVLjNXaOkG4WZP2F/vtVo8AXYjYaHS1pdwetwyvCjOnfNt7VtxFnJpfeNEN KvmV4X71EREXjt9/wDBdCFH65UwKxM20GDxUbHNfsACYb3yTkzEDOH/i57/l7iceO0CY eS8A==
X-Gm-Message-State: AOAM5325J5T2HOSJfIXgDZF8fCkgBFMXc7FfcjKIgYi9FFHgFwXciXEq JWfvpamrXsny1Q9HqLupzvxmEXCe1rupQWMvr3VngVsp
X-Google-Smtp-Source: ABdhPJw0MZNBDDoV3ErxUzknZNunF0M2OE3gz/A+awDvph0G2O/WKpqECCLt1tErc+onujH9XWsF0aofJH6X6Odvm6Q=
X-Received: by 2002:a9f:368c:: with SMTP id p12mr7047385uap.75.1615521687362; Thu, 11 Mar 2021 20:01:27 -0800 (PST)
MIME-Version: 1.0
References: <yblim6nevgi.fsf@w7.hardakers.net>
In-Reply-To: <yblim6nevgi.fsf@w7.hardakers.net>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Thu, 11 Mar 2021 20:01:16 -0800
Message-ID: <CAH1iCird+m1JXu4XSNEAO7cQTYovN6Fng5So-RJwGmRaq6=upA@mail.gmail.com>
To: Wes Hardaker <wjhns1@hardakers.net>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004d60be05bd4ef447"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/RuOUX_6tEKsckgxfSKqRUdAUWRk>
Subject: Re: [DNSOP] for dnsop consideration: draft-hardaker-dnsop-nsec3-guidance-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Mar 2021 04:01:37 -0000
On Fri, Feb 19, 2021 at 10:58 AM Wes Hardaker <wjhns1@hardakers.net> wrote: > > Greetings all, > > Viktor and I have been working on a BCP to provide guidance on selecting > reasonable NSEC3 parameters. We'd love your feedback and for dnsop to > consider adopting it. > > > A new version of I-D, draft-hardaker-dnsop-nsec3-guidance-02.txt > has been successfully submitted by Wes Hardaker and posted to the > IETF repository. > > Name: draft-hardaker-dnsop-nsec3-guidance > Revision: 02 > Title: Guidance for NSEC3 parameter settings > Document date: 2021-02-19 > Group: Individual Submission > Pages: 7 > URL: > https://www.ietf.org/archive/id/draft-hardaker-dnsop-nsec3-guidance-02.txt > Status: > https://datatracker.ietf.org/doc/draft-hardaker-dnsop-nsec3-guidance/ > Htmlized: > https://datatracker.ietf.org/doc/html/draft-hardaker-dnsop-nsec3-guidance > Htmlized: > https://tools.ietf.org/html/draft-hardaker-dnsop-nsec3-guidance-02 > Diff: > https://www.ietf.org/rfcdiff?url2=draft-hardaker-dnsop-nsec3-guidance-02 > > Abstract: > NSEC3 is a DNSSEC mechanism providing proof of non-existence by > promising there are no names that exist between two domainnames > within a zone. Unlike its counterpart NSEC, NSEC3 avoids directly > disclosing the bounding domainname pairs. This document provides > guidance on setting NSEC3 parameters based on recent operational > deployment experience. > > I think this (excellent) document could benefit by including an initial section comparing NSEC and NSEC3 (briefly). And, in the first part of the Recommendations to Zone Publishers, add the simple guidance, "If you don't think you would benefit from the features of NSEC3, you should consider using NSEC instead." Maybe throw in an observation about the rate of change or size of a zone, not needing to hash (on either the resolver or authority) for queries, particularly queries for names that do not exist, and the non-value of Flags (Opt-Out) in leaf zones with no delegations. Brian
- [DNSOP] for dnsop consideration: draft-hardaker-d… Wes Hardaker
- Re: [DNSOP] for dnsop consideration: draft-hardak… Brian Dickson