Re: [DNSOP] Updated NSEC5 protocol spec and paper
"Paul Hoffman" <paul.hoffman@vpnc.org> Thu, 09 March 2017 17:31 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 166FF1296D6 for <dnsop@ietfa.amsl.com>; Thu, 9 Mar 2017 09:31:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JzDjnCR7_DNU for <dnsop@ietfa.amsl.com>; Thu, 9 Mar 2017 09:31:31 -0800 (PST)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77FAC1296C3 for <dnsop@ietf.org>; Thu, 9 Mar 2017 09:31:31 -0800 (PST)
Received: from [10.32.60.20] (142-254-101-176.dsl.dynamic.fusionbroadband.com [142.254.101.176]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id v29HVPUf005212 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <dnsop@ietf.org>; Thu, 9 Mar 2017 10:31:26 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 142-254-101-176.dsl.dynamic.fusionbroadband.com [142.254.101.176] claimed to be [10.32.60.20]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
Date: Thu, 09 Mar 2017 09:31:29 -0800
Message-ID: <CFBF172D-FDD7-4DE1-B5C5-7C76A7792549@vpnc.org>
In-Reply-To: <CAHPuVdXTcSaVcN6fBbPy3e=PgRvg8=GemSN_YFhzX387x8YW-A@mail.gmail.com>
References: <CAHPuVdXTcSaVcN6fBbPy3e=PgRvg8=GemSN_YFhzX387x8YW-A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.6r5347)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/YFvCgbR0ZxwuwZuGyBe3mdnSXoc>
Subject: Re: [DNSOP] Updated NSEC5 protocol spec and paper
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2017 17:31:35 -0000
On 7 Mar 2017, at 7:29, Shumon Huque wrote: > We've requested an agenda slot at the DNSOP working group meeting at > IETF98 to talk about the NSEC5 protocol. Our chairs have requested > that > we send out a note to the group ahead of time, so here it is. > > This protocol has not to our knowledge been presented at dnsop before, > but has been discussed previously at other IETF venues, such as SAAG. The protocol described in draft-vcelak-nsec5 has improved since it was first presented, but it is still unclear why we should adopt it as part of DNSSEC. The benefits listed in the draft are real, but they come at a very steep cost for zone administrators who might use NSEC5. Is there a community of zone admins who want this so much that they won't start signing until it exists? Short of that, is there a community of zone admins who are using NSEC/NSEC3 white lies who find this to be a significant improvement? If not, adopting this seems like a bad idea. No one can operationally sign with NSEC5 until nearly all validators have it installed. In the meantime, a zone admin who cares about zone enumeration and wants to sign will use white lies, and those who don't care about zone enumeration won't pay any attention to this. Even though this document has some really nice design decisions in it, should it be adopted in DNSSEC unless it is likely to be deployed? --Paul Hoffman
- [DNSOP] Updated NSEC5 protocol spec and paper Shumon Huque
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Phillip Hallam-Baker
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Dave Lawrence
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Paul Hoffman
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Paul Wouters
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Phillip Hallam-Baker
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Roy Arends
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Phillip Hallam-Baker
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Phillip Hallam-Baker
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Tim Wicinski
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Roy Arends
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Woodworth, John R
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Evan Hunt
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Warren Kumari
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Shumon Huque
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Frederico A C Neves
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Phillip Hallam-Baker
- [DNSOP] Opt-in, zone enumeration and dnsext histo… Jim Reid
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Jim Reid
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Dave Lawrence
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Paul Hoffman
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Ralf Weber