Re: [DNSOP] nsec3-parameters opinions gathered
Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 05 November 2021 20:45 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6A073A0DFC for <dnsop@ietfa.amsl.com>; Fri, 5 Nov 2021 13:45:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fu3tkiew5lfx for <dnsop@ietfa.amsl.com>; Fri, 5 Nov 2021 13:45:15 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B2F03A0E03 for <dnsop@ietf.org>; Fri, 5 Nov 2021 13:45:15 -0700 (PDT)
Received: from smtpclient.apple (unknown [192.168.1.159]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 07EC8BBD2B for <dnsop@ietf.org>; Fri, 5 Nov 2021 16:45:14 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <E354E8D8-5584-4607-A98D-76869F5CC68B@ogud.com>
Date: Fri, 05 Nov 2021 16:45:13 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: dnsop@ietf.org
Message-Id: <60AB8BC5-1A5D-4520-9850-8CB9D1EE163F@dukhovni.org>
References: <ybl7ddnr16f.fsf@w7.hardakers.net> <206e17b4-a920-8e3e-586d-ecc29855fae3@nic.cz> <45a10ca4-93e1-3c9c-7434-83c387d5246e@NLnetLabs.nl> <E354E8D8-5584-4607-A98D-76869F5CC68B@ogud.com>
To: dnsop@ietf.org
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/W2UvtgRpdkBTX2_W8fJLgCemT8M>
Subject: Re: [DNSOP] nsec3-parameters opinions gathered
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Nov 2021 20:45:20 -0000
> On 5 Nov 2021, at 3:19 pm, Olafur Gudmundsson <ogud@ogud.com> wrote: > > Publishing iteration count higher than 10 is reckless as that affects the performance of recursive resolvers in particular the ones that run on small CPE equipment. > > The document should strongly discourage any use of NSEC3 <full stop> > For the <censored> that want to keep using it the limit should be real low of what resolvers accept. > Any value between 0 and 10 is fine with me I hope to see some hint of consensus at the meeting, but would like to mention, that a realistic *aggressive* target would 20 rather than 10. There are >0.5M zones with 20 iterations, and it is likely too much work for insufficient gain to get them to reduce this to 10 or less. If the WG consensus it to go *aggressive*, then the limit should I suggest be 20. Other plausible values that non-trivially reduce impact are 40, 50 and 100. The multiple-choice question for the recommended resolver limits (highest accepted, not lowest rejected) is then: A. 20 B. 40 C. 50 D. 100 E. 150 And as for SERVFAIL, note that wildcard responses are often NSEC3 authenticated, so they'd stop working in zones over the SERVFAIL limit. Therefore, I think the choices here are more limited, unless we're planning to hold off resolver implementation until many more zones make changes post publication of the RFC. In the short run, the realistic upper bounds before SERVFAIL are: A. 150 (More stringent current de facto limit) B. 500 (Raytheon special) C. Never (Carrot sans stick) If some zones don't care that they're now insecure, we can report their DoE and wildcards as insecure, and hope they'll eventually care. Meanwhile, their positive answers still validate, but can be freely replaced with an insecure NODATA (zone apex) or any insecure answer (positive, NODATA or NXDOMAIN) at any qname properly below the zone apex. -- Viktor.
- [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] nsec3-parameters opinions gathered Miek Gieben
- Re: [DNSOP] nsec3-parameters opinions gathered Vladimír Čunát
- Re: [DNSOP] nsec3-parameters opinions gathered Benno Overeinder
- Re: [DNSOP] nsec3-parameters opinions gathered Olafur Gudmundsson
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni
- Re: [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] nsec3-parameters opinions gathered Miek Gieben
- Re: [DNSOP] nsec3-parameters opinions gathered Matthijs Mekking
- Re: [DNSOP] nsec3-parameters opinions gathered Petr Špaček
- Re: [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] [Ext] nsec3-parameters opinions gathe… Paul Hoffman
- Re: [DNSOP] nsec3-parameters opinions gathered A. Schulze
- Re: [DNSOP] [Ext] nsec3-parameters opinions gathe… Paul Vixie
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni
- Re: [DNSOP] nsec3-parameters opinions gathered Paul Wouters
- Re: [DNSOP] nsec3-parameters opinions gathered Mark Andrews
- Re: [DNSOP] nsec3-parameters opinions gathered Petr Špaček
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni
- Re: [DNSOP] nsec3-parameters opinions gathered Petr Špaček
- Re: [DNSOP] nsec3-parameters opinions gathered Michael Bauland
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni