Re: [DNSOP] nsec3-parameters opinions gathered

Olafur Gudmundsson <ogud@ogud.com> Fri, 05 November 2021 19:20 UTC

Return-Path: <ogud@ogud.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21C973A0B7D for <dnsop@ietfa.amsl.com>; Fri, 5 Nov 2021 12:20:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3MwTDNz_yxQ1 for <dnsop@ietfa.amsl.com>; Fri, 5 Nov 2021 12:20:01 -0700 (PDT)
Received: from smtp117.iad3a.emailsrvr.com (smtp117.iad3a.emailsrvr.com [173.203.187.117]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 814BF3A0B6E for <dnsop@ietf.org>; Fri, 5 Nov 2021 12:20:01 -0700 (PDT)
X-Auth-ID: ogud@ogud.com
Received: by smtp31.relay.iad3a.emailsrvr.com (Authenticated sender: ogud-AT-ogud.com) with ESMTPSA id 5CEA5248A5; Fri, 5 Nov 2021 15:20:00 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Olafur Gudmundsson <ogud@ogud.com>
In-Reply-To: <45a10ca4-93e1-3c9c-7434-83c387d5246e@NLnetLabs.nl>
Date: Fri, 05 Nov 2021 15:19:59 -0400
Cc: DNSOP Working Group <dnsop@ietf.org>, Wes Hardaker <wjhns1@hardakers.net>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E354E8D8-5584-4607-A98D-76869F5CC68B@ogud.com>
References: <ybl7ddnr16f.fsf@w7.hardakers.net> <206e17b4-a920-8e3e-586d-ecc29855fae3@nic.cz> <45a10ca4-93e1-3c9c-7434-83c387d5246e@NLnetLabs.nl>
To: Benno Overeinder <benno@NLnetLabs.nl>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
X-Classification-ID: bd28ea12-4ba5-42bf-a6ae-3ade0c3ca471-1-1
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/T3yuAjV-8tmFRXvlveoVZSW1VIc>
Subject: Re: [DNSOP] nsec3-parameters opinions gathered
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Nov 2021 19:20:06 -0000

Publishing iteration count higher than 10 is reckless as that affects the performance of recursive resolvers in particular the ones that run on small CPE equipment.

The document should strongly discourage any use of NSEC3 <full stop> 
For the <censored> that want to keep using it the limit should be real low of what resolvers accept. 
Any value between 0 and 10 is fine with me 

Olafur


> On Nov 5, 2021, at 12:09 PM, Benno Overeinder <benno@NLnetLabs.nl> wrote:
> 
> Wes,
> 
> On 05/11/2021 09:40, Vladimír Čunát wrote:
>> On 04/11/2021 23.44, Wes Hardaker wrote:
>>> The most important sticking point is there are 4 implementations (thank
>>> you for the links Matthijs) that have implemented 150.  Since DNSOP
>>> strives for implementations of specs, I think this is the number we
>>> should publish*unless the vendors speak up and say they'll drive lower*.
>> I'm convinced that 150 was just a quick stop-gap compromise and that from the start vendors expected that dnsop might set it lower later. Therefore I don't think this *argument* for keeping 150 is really valid.
>> As for Knot Resolver, I see no problem in setting the hard limit lower, especially if that gets published in this RFC.  From Viktor I gather that 100 shouldn't cause issues even at this moment, especially if it's only a limit for downgrading to insecure (which won't be even noticed by most DNS consumers).  So personally I expected the draft to lower the bound to <=100, though as I said... for us the *overall* performance ratio from e.g. 150 -> 50 isn't that large.
> 
> For Unbound, we have no problem setting the iteration cap to a value lower than the current 150.  If Viktor's analysis shows a limit of 100 is feasible without (m)any problems for operators, and this value will be adopted in the soon-to-be-released RFC, we will use the new limit value.
> 
> 
> Cheers,
> 
> -- Benno
> 
> 
> -- 
> Benno J. Overeinder
> NLnet Labs
> https://www.nlnetlabs.nl/
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop