IETF Logo Mail Archive

Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nsec3-guidance-02.txt

Wes Hardaker <wjhns1@hardakers.net> Wed, 09 February 2022 21:11 UTC

Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B4593A067A for <dnsop@ietfa.amsl.com>; Wed, 9 Feb 2022 13:11:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e2hdEYbBGogz for <dnsop@ietfa.amsl.com>; Wed, 9 Feb 2022 13:11:45 -0800 (PST)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.192.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9421B3A03F7 for <dnsop@ietf.org>; Wed, 9 Feb 2022 13:11:45 -0800 (PST)
Received: from localhost (unknown [10.0.0.3]) by mail.hardakers.net (Postfix) with ESMTPA id E416F2FCBA; Wed, 9 Feb 2022 13:11:44 -0800 (PST)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Petr Špaček <pspacek@isc.org>
Cc: dnsop@ietf.org
References: <163777315136.16773.10633006296842101587@ietfa.amsl.com> <yblh7c1fpwf.fsf@w7.hardakers.net> <914ced6b-52c7-9354-4b91-87f80cd26037@pletterpet.nl> <6153c0ed-523a-5225-40ac-5be9fd5e6ed5@isc.org>
Date: Wed, 09 Feb 2022 13:11:44 -0800
In-Reply-To: <6153c0ed-523a-5225-40ac-5be9fd5e6ed5@isc.org> ("Petr Špaček"'s message of "Thu, 25 Nov 2021 13:00:33 +0100")
Message-ID: <yblk0e3923z.fsf@w7.hardakers.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ZMvfGkrDdQiL3ckFJeQa1ovAfk0>
Subject: Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nsec3-guidance-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Feb 2022 21:11:51 -0000

Petr Špaček <pspacek@isc.org> writes:

> > 3.1.  Best-practice for zone publishers
> > I wonder if we can make the requirement even stronger by saying "If 
> > NSEC3 must be used, then an iterations count of 0 MUST be used to
> > alleviate computational burdens." (MUST instead of SHOULD).
> > Or is there a valid reason for zone publishers to set iterations to
> > a non-zero value?
> 
> This section is IMHO missing a scary warning to explain the
> reasons. Let add one couple sentences (+ "extra" keyword to
> differentiate it from the implicit single iteration):
> 
> ----------
> If NSEC3 must be used, then an extra iterations count of 0 SHOULD be
> used to alleviate computational burdens.
> 
> Please note that extra iteration counts other than 0 increase impact
> of resource CPU-exhausting DoS attacks, and also increase risk of 
> interoperability problems.
> ----------

Sentence added -- seems wildly agreed upon.
-- 
Wes Hardaker
USC/ISI

v2.31.3 | Report a Bug | By Email | System Status