Re: [DNSOP] Updated NSEC5 protocol spec and paper
Phillip Hallam-Baker <phill@hallambaker.com> Thu, 09 March 2017 20:58 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E8E41294A3 for <dnsop@ietfa.amsl.com>; Thu, 9 Mar 2017 12:58:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.668
X-Spam-Level:
X-Spam-Status: No, score=-1.668 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.229, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8RLsLwExC-m4 for <dnsop@ietfa.amsl.com>; Thu, 9 Mar 2017 12:58:23 -0800 (PST)
Received: from mail-yb0-x235.google.com (mail-yb0-x235.google.com [IPv6:2607:f8b0:4002:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DDA412948F for <dnsop@ietf.org>; Thu, 9 Mar 2017 12:58:23 -0800 (PST)
Received: by mail-yb0-x235.google.com with SMTP id a5so5529476ybb.2 for <dnsop@ietf.org>; Thu, 09 Mar 2017 12:58:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=9gScIk4A2Sgb94NP9loTPy/wKxFflnP6BxGivcVlCl4=; b=K2HM7R3EVBXRi7lRl3C+uOQ+xh/0N4VqfknQdtHinO0SYbiombjk4Z34XxREJI889j CC0NNpDAQB8ieS/9Lv77Jl20qF4rlbSr5FK4zJ6r82UuEcSWfCr3cQLaPuiezAYISrtt UtYeL3xuXWfwzZDCMfcqqB0ROwHkKbSwjNrr7iaOdTm+DXVyHSdTyXtissnFGNbmb6MH jVUegc5dFlBelW7eVv4NGvvPjCVF+OnToUyCxI9+CyD1MfyEODU8/XTHVA1a05x4GyuS iWV3O/43Tt+aBtk/hP1uDQqprriFGeh7+mvSIZ6c6en2D6KessDqSg8wRFJSFpwvtJSO TNhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=9gScIk4A2Sgb94NP9loTPy/wKxFflnP6BxGivcVlCl4=; b=uYPJ+Rj/v4h7ehjVsSRznGrPu8h33v51dRuV8M99+7iXA3yD6SoDZ9akMIQUPdTPOz qXdbFscKuepUkWAOO9ZbxQzU4lIZf6X68JYsZGSrmi/rLa1HpFGYD7M4QKCDFWy1qr4g v2o6AZ6iG1TG5/APHRbqsaTAEhNe4Ab4+Ue5oJ29peqyIMCDOflmDzPWgT1n75++EIMZ w6NdrLXN583vaxkmvuC7f4HVkuSmxwAVGE2eUHqonCxgkOq+X25KL4629rzZCQuDbB90 6rPOxSJhIGg62lLpYEsSnCefZjfM+su8nY9qd3zUnMohSmgMxEh6B9ujO6+jOkPXpiXZ IUTA==
X-Gm-Message-State: AMke39mTgVXHVpfP+CTzpdWq5Cd1SWWSRb445OxeB8QsXpW1zqGOyIVuLDmPBd6ia+DyXEQYVRtupgoEap5vwA==
X-Received: by 10.37.96.137 with SMTP id u131mr5213849ybb.1.1489093102478; Thu, 09 Mar 2017 12:58:22 -0800 (PST)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.83.19.20 with HTTP; Thu, 9 Mar 2017 12:58:21 -0800 (PST)
In-Reply-To: <CFBF172D-FDD7-4DE1-B5C5-7C76A7792549@vpnc.org>
References: <CAHPuVdXTcSaVcN6fBbPy3e=PgRvg8=GemSN_YFhzX387x8YW-A@mail.gmail.com> <CFBF172D-FDD7-4DE1-B5C5-7C76A7792549@vpnc.org>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Thu, 09 Mar 2017 15:58:21 -0500
X-Google-Sender-Auth: NULpgCeMYeOtiB_r-6glE6sRxA4
Message-ID: <CAMm+LwgoQEN42DCbWDDy0vNTcJ1tBovX18txDErzcxFTOoAzSw@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: multipart/alternative; boundary="001a1143cd7469690f054a528128"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ZyRp2-9uEVYrsCdlI3w-31wDHZ0>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Subject: Re: [DNSOP] Updated NSEC5 protocol spec and paper
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2017 20:58:24 -0000
The perfect is the enemy of the good. I suggest we first deploy NSEC0 which simply nulls out the whole NSEC/NXT issue entirely. At this point anyone who is deploying DNSSEC is helping the cause. Do not set membership requirements that exclude them. Node insertion is a security concern for some DNSSEC applications but not for all. Implementing NSEC0 would not be a burden on validators. If nobody uses it then there is no harm to it. If people only use it for a short time during deployment then it is useful. If people use it and won't stop then that is proof of a demand for NSEC5. I completely reject your notion of where validation occurs and what the value is BTW but that is a different issue. Bottom line is that I do not depend on validators being deployed to the end points as I do not expect that to happen soon and quite possibly not ever. On Thu, Mar 9, 2017 at 12:31 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote: > On 7 Mar 2017, at 7:29, Shumon Huque wrote: > > We've requested an agenda slot at the DNSOP working group meeting at >> IETF98 to talk about the NSEC5 protocol. Our chairs have requested that >> we send out a note to the group ahead of time, so here it is. >> >> This protocol has not to our knowledge been presented at dnsop before, >> but has been discussed previously at other IETF venues, such as SAAG. >> > > The protocol described in draft-vcelak-nsec5 has improved since it was > first presented, but it is still unclear why we should adopt it as part of > DNSSEC. The benefits listed in the draft are real, but they come at a very > steep cost for zone administrators who might use NSEC5. > > Is there a community of zone admins who want this so much that they won't > start signing until it exists? > > Short of that, is there a community of zone admins who are using > NSEC/NSEC3 white lies who find this to be a significant improvement? > > If not, adopting this seems like a bad idea. No one can operationally sign > with NSEC5 until nearly all validators have it installed. In the meantime, > a zone admin who cares about zone enumeration and wants to sign will use > white lies, and those who don't care about zone enumeration won't pay any > attention to this. > > Even though this document has some really nice design decisions in it, > should it be adopted in DNSSEC unless it is likely to be deployed? > > --Paul Hoffman > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] Updated NSEC5 protocol spec and paper Shumon Huque
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Phillip Hallam-Baker
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Dave Lawrence
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Paul Hoffman
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Paul Wouters
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Phillip Hallam-Baker
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Roy Arends
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Phillip Hallam-Baker
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Phillip Hallam-Baker
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Tim Wicinski
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Roy Arends
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Woodworth, John R
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Evan Hunt
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Warren Kumari
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Shumon Huque
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Frederico A C Neves
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Phillip Hallam-Baker
- [DNSOP] Opt-in, zone enumeration and dnsext histo… Jim Reid
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Jim Reid
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Dave Lawrence
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Paul Hoffman
- Re: [DNSOP] Updated NSEC5 protocol spec and paper Ralf Weber