Re: [DNSOP] Updated NSEC5 protocol spec and paper

Phillip Hallam-Baker <> Thu, 09 March 2017 20:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9E8E41294A3 for <>; Thu, 9 Mar 2017 12:58:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.668
X-Spam-Status: No, score=-1.668 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.229, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8RLsLwExC-m4 for <>; Thu, 9 Mar 2017 12:58:23 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4002:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4DDA412948F for <>; Thu, 9 Mar 2017 12:58:23 -0800 (PST)
Received: by with SMTP id a5so5529476ybb.2 for <>; Thu, 09 Mar 2017 12:58:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=9gScIk4A2Sgb94NP9loTPy/wKxFflnP6BxGivcVlCl4=; b=K2HM7R3EVBXRi7lRl3C+uOQ+xh/0N4VqfknQdtHinO0SYbiombjk4Z34XxREJI889j CC0NNpDAQB8ieS/9Lv77Jl20qF4rlbSr5FK4zJ6r82UuEcSWfCr3cQLaPuiezAYISrtt UtYeL3xuXWfwzZDCMfcqqB0ROwHkKbSwjNrr7iaOdTm+DXVyHSdTyXtissnFGNbmb6MH jVUegc5dFlBelW7eVv4NGvvPjCVF+OnToUyCxI9+CyD1MfyEODU8/XTHVA1a05x4GyuS iWV3O/43Tt+aBtk/hP1uDQqprriFGeh7+mvSIZ6c6en2D6KessDqSg8wRFJSFpwvtJSO TNhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=9gScIk4A2Sgb94NP9loTPy/wKxFflnP6BxGivcVlCl4=; b=uYPJ+Rj/v4h7ehjVsSRznGrPu8h33v51dRuV8M99+7iXA3yD6SoDZ9akMIQUPdTPOz qXdbFscKuepUkWAOO9ZbxQzU4lIZf6X68JYsZGSrmi/rLa1HpFGYD7M4QKCDFWy1qr4g v2o6AZ6iG1TG5/APHRbqsaTAEhNe4Ab4+Ue5oJ29peqyIMCDOflmDzPWgT1n75++EIMZ w6NdrLXN583vaxkmvuC7f4HVkuSmxwAVGE2eUHqonCxgkOq+X25KL4629rzZCQuDbB90 6rPOxSJhIGg62lLpYEsSnCefZjfM+su8nY9qd3zUnMohSmgMxEh6B9ujO6+jOkPXpiXZ IUTA==
X-Gm-Message-State: AMke39mTgVXHVpfP+CTzpdWq5Cd1SWWSRb445OxeB8QsXpW1zqGOyIVuLDmPBd6ia+DyXEQYVRtupgoEap5vwA==
X-Received: by with SMTP id u131mr5213849ybb.1.1489093102478; Thu, 09 Mar 2017 12:58:22 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Thu, 9 Mar 2017 12:58:21 -0800 (PST)
In-Reply-To: <>
References: <> <>
From: Phillip Hallam-Baker <>
Date: Thu, 09 Mar 2017 15:58:21 -0500
X-Google-Sender-Auth: NULpgCeMYeOtiB_r-6glE6sRxA4
Message-ID: <>
To: Paul Hoffman <>
Content-Type: multipart/alternative; boundary="001a1143cd7469690f054a528128"
Archived-At: <>
Cc: " WG" <>
Subject: Re: [DNSOP] Updated NSEC5 protocol spec and paper
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 09 Mar 2017 20:58:24 -0000

The perfect is the enemy of the good.

I suggest we first deploy NSEC0 which simply nulls out the whole NSEC/NXT
issue entirely. At this point anyone who is deploying DNSSEC is helping the
cause. Do not set membership requirements that exclude them.

Node insertion is a security concern for some DNSSEC applications but not
for all.

Implementing NSEC0 would not be a burden on validators. If nobody uses it
then there is no harm to it. If people only use it for a short time during
deployment then it is useful. If people use it and won't stop then that is
proof of a demand for NSEC5.

I completely reject your notion of where validation occurs and what the
value is BTW but that is a different issue. Bottom line is that I do not
depend on validators being deployed to the end points as I do not expect
that to happen soon and quite possibly not ever.

On Thu, Mar 9, 2017 at 12:31 PM, Paul Hoffman <> wrote:

> On 7 Mar 2017, at 7:29, Shumon Huque wrote:
> We've requested an agenda slot at the DNSOP working group meeting at
>> IETF98 to talk about the NSEC5 protocol. Our chairs have requested that
>> we send out a note to the group ahead of time, so here it is.
>> This protocol has not to our knowledge been presented at dnsop before,
>> but has been discussed previously at other IETF venues, such as SAAG.
> The protocol described in draft-vcelak-nsec5 has improved since it was
> first presented, but it is still unclear why we should adopt it as part of
> DNSSEC. The benefits listed in the draft are real, but they come at a very
> steep cost for zone administrators who might use NSEC5.
> Is there a community of zone admins who want this so much that they won't
> start signing until it exists?
> Short of that, is there a community of zone admins who are using
> NSEC/NSEC3 white lies who find this to be a significant improvement?
> If not, adopting this seems like a bad idea. No one can operationally sign
> with NSEC5 until nearly all validators have it installed. In the meantime,
> a zone admin who cares about zone enumeration and wants to sign will use
> white lies, and those who don't care about zone enumeration won't pay any
> attention to this.
> Even though this document has some really nice design decisions in it,
> should it be adopted in DNSSEC unless it is likely to be deployed?
> --Paul Hoffman
> _______________________________________________
> DNSOP mailing list