Re: [DNSOP] Using NSEC3 for opt-out, was Re: Comments regarding the NSEC5
Ondřej Surý <ondrej.sury@nic.cz> Sun, 15 March 2015 16:50 UTC
Return-Path: <ondrej.sury@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 404121A1B49 for <dnsop@ietfa.amsl.com>; Sun, 15 Mar 2015 09:50:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.339
X-Spam-Level: **
X-Spam-Status: No, score=2.339 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_CZ=0.445, HOST_EQ_CZ=0.904, MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bzL6F5Z7gRSa for <dnsop@ietfa.amsl.com>; Sun, 15 Mar 2015 09:50:15 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E9D51A0358 for <dnsop@ietf.org>; Sun, 15 Mar 2015 09:50:15 -0700 (PDT)
Received: from zimbra.rfc1925.org (calcifer.nic.cz [217.31.202.36]) by mail.nic.cz (Postfix) with ESMTP id D81F613FA8A; Sun, 15 Mar 2015 17:50:13 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nic.cz; s=default; t=1426438213; bh=hpt4gwKCUmsQ5mP0ae0mE1ysXdmebCB1Nj/LuoDCPYQ=; h=Date:From:To:Cc:Message-ID:In-Reply-To:References:Subject: MIME-Version:Content-Type:Content-Transfer-Encoding; b=nChfxa879w8s63abt3/PbJ/SGE+y/VPquvptnefSQq3ugj8yIsxFpZ6I27PPy0Xsw /XnzywP6GSfQkqB/FI2pI1PSLFbSoivw9/P9883Dd68Ap7wj9THAS962GMKy2v6Glm hgSfvY7HN4+ZHAuUlhKuyaOOzKvuqYrlyj1Wcr/s=
Date: Sun, 15 Mar 2015 17:30:27 +0100
From: Ondřej Surý <ondrej.sury@nic.cz>
To: Edward Lewis <edward.lewis@icann.org>
Message-ID: <1085336065.26227.1426437027452.JavaMail.zimbra@nic.cz>
In-Reply-To: <D126F949.9B95%edward.lewis@icann.org>
References: <D126F949.9B95%edward.lewis@icann.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: [217.31.202.36]
X-Mailer: Zimbra 8.6.0_GA_1153 (ZimbraWebClient - GC41 (Win)/8.6.0_GA_1153)
Thread-Topic: Using NSEC3 for opt-out, was Re: [DNSOP] Comments regarding the NSEC5
Thread-Index: AQHQXL4h5cwMj7IaF0ildxDMxfY5XnNqiJ1s
X-Virus-Scanned: clamav-milter 0.98.6 at mail
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/TSun9PWisLxtcC05FZhW3XZ4qE8>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Using NSEC3 for opt-out, was Re: Comments regarding the NSEC5
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Mar 2015 16:50:16 -0000
JFTR .cz was asked by "The Office for Personal Data Protection" to implement measures to protect the personal data for domain holders. NSEC3 was part of the solution. O. -- Ondřej Surý -- Chief Science Officer -------------------------------------------- CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC Milesovska 5, 130 00 Praha 3, Czech Republic mailto:ondrej.sury@nic.cz https://nic.cz/ -------------------------------------------- ----- Original Message ----- > From: "Edward Lewis" <edward.lewis@icann.org> > To: dnsop@ietf.org > Sent: Thursday, March 12, 2015 1:14:46 PM > Subject: [DNSOP] Using NSEC3 for opt-out, was Re: Comments regarding the NSEC5 > On 3/12/15, 6:31, "Florian Weimer" <fweimer@redhat.com> wrote: > >>And does anyone actually use opt out with NSEC3? > > Currently twenty-one TLDs use NSEC3 with 0 iterations and no salt. > Nineteen more use no salt with more than 1 iteration. > > That's just a count of what's in the root zone delegations. I haven't > asked if they all use NSEC3 for opt-out, but given those parameters and > based on at least one private conversation with one of the operators, I'm > sure these are 40 cases of zones using NSEC3 for it's opt-out capability. > (Subsets of the 40 zones are operated by the same entity, so it's not > necessarily 40 operators.) > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- Re: [DNSOP] Using NSEC3 for opt-out, was Re: Comm… Ondřej Surý
- Re: [DNSOP] Using NSEC3 for opt-out, was Re: Comm… Ondřej Surý
- Re: [DNSOP] Using NSEC3 for opt-out, was Re: Comm… Patrik Fältström
- Re: [DNSOP] Using NSEC3 for opt-out, was Re: Comm… Patrik Fältström
- [DNSOP] Using NSEC3 for opt-out, was Re: Comments… Edward Lewis