Re: [DNSOP] Updated NSEC5 protocol spec and paper

Phillip Hallam-Baker <phill@hallambaker.com> Thu, 09 March 2017 20:58 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E8E41294A3 for <dnsop@ietfa.amsl.com>; Thu, 9 Mar 2017 12:58:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.668
X-Spam-Level:
X-Spam-Status: No, score=-1.668 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.229, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8RLsLwExC-m4 for <dnsop@ietfa.amsl.com>; Thu, 9 Mar 2017 12:58:23 -0800 (PST)
Received: from mail-yb0-x235.google.com (mail-yb0-x235.google.com [IPv6:2607:f8b0:4002:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DDA412948F for <dnsop@ietf.org>; Thu, 9 Mar 2017 12:58:23 -0800 (PST)
Received: by mail-yb0-x235.google.com with SMTP id a5so5529476ybb.2 for <dnsop@ietf.org>; Thu, 09 Mar 2017 12:58:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=9gScIk4A2Sgb94NP9loTPy/wKxFflnP6BxGivcVlCl4=; b=K2HM7R3EVBXRi7lRl3C+uOQ+xh/0N4VqfknQdtHinO0SYbiombjk4Z34XxREJI889j CC0NNpDAQB8ieS/9Lv77Jl20qF4rlbSr5FK4zJ6r82UuEcSWfCr3cQLaPuiezAYISrtt UtYeL3xuXWfwzZDCMfcqqB0ROwHkKbSwjNrr7iaOdTm+DXVyHSdTyXtissnFGNbmb6MH jVUegc5dFlBelW7eVv4NGvvPjCVF+OnToUyCxI9+CyD1MfyEODU8/XTHVA1a05x4GyuS iWV3O/43Tt+aBtk/hP1uDQqprriFGeh7+mvSIZ6c6en2D6KessDqSg8wRFJSFpwvtJSO TNhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=9gScIk4A2Sgb94NP9loTPy/wKxFflnP6BxGivcVlCl4=; b=uYPJ+Rj/v4h7ehjVsSRznGrPu8h33v51dRuV8M99+7iXA3yD6SoDZ9akMIQUPdTPOz qXdbFscKuepUkWAOO9ZbxQzU4lIZf6X68JYsZGSrmi/rLa1HpFGYD7M4QKCDFWy1qr4g v2o6AZ6iG1TG5/APHRbqsaTAEhNe4Ab4+Ue5oJ29peqyIMCDOflmDzPWgT1n75++EIMZ w6NdrLXN583vaxkmvuC7f4HVkuSmxwAVGE2eUHqonCxgkOq+X25KL4629rzZCQuDbB90 6rPOxSJhIGg62lLpYEsSnCefZjfM+su8nY9qd3zUnMohSmgMxEh6B9ujO6+jOkPXpiXZ IUTA==
X-Gm-Message-State: AMke39mTgVXHVpfP+CTzpdWq5Cd1SWWSRb445OxeB8QsXpW1zqGOyIVuLDmPBd6ia+DyXEQYVRtupgoEap5vwA==
X-Received: by 10.37.96.137 with SMTP id u131mr5213849ybb.1.1489093102478; Thu, 09 Mar 2017 12:58:22 -0800 (PST)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.83.19.20 with HTTP; Thu, 9 Mar 2017 12:58:21 -0800 (PST)
In-Reply-To: <CFBF172D-FDD7-4DE1-B5C5-7C76A7792549@vpnc.org>
References: <CAHPuVdXTcSaVcN6fBbPy3e=PgRvg8=GemSN_YFhzX387x8YW-A@mail.gmail.com> <CFBF172D-FDD7-4DE1-B5C5-7C76A7792549@vpnc.org>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Thu, 9 Mar 2017 15:58:21 -0500
X-Google-Sender-Auth: NULpgCeMYeOtiB_r-6glE6sRxA4
Message-ID: <CAMm+LwgoQEN42DCbWDDy0vNTcJ1tBovX18txDErzcxFTOoAzSw@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: multipart/alternative; boundary=001a1143cd7469690f054a528128
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ZyRp2-9uEVYrsCdlI3w-31wDHZ0>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Subject: Re: [DNSOP] Updated NSEC5 protocol spec and paper
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2017 20:58:24 -0000

The perfect is the enemy of the good.

I suggest we first deploy NSEC0 which simply nulls out the whole NSEC/NXT
issue entirely. At this point anyone who is deploying DNSSEC is helping the
cause. Do not set membership requirements that exclude them.

Node insertion is a security concern for some DNSSEC applications but not
for all.

Implementing NSEC0 would not be a burden on validators. If nobody uses it
then there is no harm to it. If people only use it for a short time during
deployment then it is useful. If people use it and won't stop then that is
proof of a demand for NSEC5.


I completely reject your notion of where validation occurs and what the
value is BTW but that is a different issue. Bottom line is that I do not
depend on validators being deployed to the end points as I do not expect
that to happen soon and quite possibly not ever.


On Thu, Mar 9, 2017 at 12:31 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:

> On 7 Mar 2017, at 7:29, Shumon Huque wrote:
>
> We've requested an agenda slot at the DNSOP working group meeting at
>> IETF98 to talk about the NSEC5 protocol. Our chairs have requested that
>> we send out a note to the group ahead of time, so here it is.
>>
>> This protocol has not to our knowledge been presented at dnsop before,
>> but has been discussed previously at other IETF venues, such as SAAG.
>>
>
> The protocol described in draft-vcelak-nsec5 has improved since it was
> first presented, but it is still unclear why we should adopt it as part of
> DNSSEC. The benefits listed in the draft are real, but they come at a very
> steep cost for zone administrators who might use NSEC5.
>
> Is there a community of zone admins who want this so much that they won't
> start signing until it exists?
>
> Short of that, is there a community of zone admins who are using
> NSEC/NSEC3 white lies who find this to be a significant improvement?
>
> If not, adopting this seems like a bad idea. No one can operationally sign
> with NSEC5 until nearly all validators have it installed. In the meantime,
> a zone admin who cares about zone enumeration and wants to sign will use
> white lies, and those who don't care about zone enumeration won't pay any
> attention to this.
>
> Even though this document has some really nice design decisions in it,
> should it be adopted in DNSSEC unless it is likely to be deployed?
>
> --Paul Hoffman
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>