IETF Logo Mail Archive

Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.

Olaf Kolkman <olaf@NLnetLabs.nl> Tue, 23 February 2010 10:02 UTC

Return-Path: <olaf@NLnetLabs.nl>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1490328C16D for <dnsop@core3.amsl.com>; Tue, 23 Feb 2010 02:02:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.467
X-Spam-Level:
X-Spam-Status: No, score=-102.467 tagged_above=-999 required=5 tests=[AWL=-0.467, BAYES_00=-2.599, J_CHICKENPOX_53=0.6, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h19YCrR28Wn8 for <dnsop@core3.amsl.com>; Tue, 23 Feb 2010 02:01:55 -0800 (PST)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by core3.amsl.com (Postfix) with ESMTP id 350E228C127 for <dnsop@ietf.org>; Tue, 23 Feb 2010 02:01:51 -0800 (PST)
Received: from [IPv6:2001:7b8:206:1:226:bbff:fe0e:7cc7] ([IPv6:2001:7b8:206:1:226:bbff:fe0e:7cc7]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.3/8.14.3) with ESMTP id o1NA3hB2078316 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 23 Feb 2010 11:03:44 +0100 (CET) (envelope-from olaf@NLnetLabs.nl)
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
From: Olaf Kolkman <olaf@NLnetLabs.nl>
In-Reply-To: <823a0s4dvz.fsf@mid.bfk.de>
Date: Tue, 23 Feb 2010 11:03:42 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <2D6420F9-2101-45B6-8B29-E83502FAC498@NLnetLabs.nl>
References: <200904282021.n3SKL3sg051528@givry.fdupont.fr> <59A58419-FDBD-4810-B2FA-0D293FFA00A5@NLnetLabs.nl> <alpine.LFD.1.10.1001211245180.12114@newtla.xelerance.com> <1AEAE091-2EB3-41DC-A51B-8DD49C10FAD5@NLnetLabs.nl> <24C8A8E2A81760E31D4CDE4A@Ximines.local> <8E6C64ED-A336-4E8B-996F-9FB471EB07C6@NLnetLabs.nl> <823a0s4dvz.fsf@mid.bfk.de>
To: Florian Weimer <fweimer@bfk.de>
X-Mailer: Apple Mail (2.1077)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]); Tue, 23 Feb 2010 11:03:45 +0100 (CET)
Cc: dnsop WG <dnsop@ietf.org>, Alex Bligh <alex@alex.org.uk>
Subject: Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2010 10:02:01 -0000

On Feb 23, 2010, at 8:20 AM, Florian Weimer wrote:

> * Olaf Kolkman:
> 
>> 5.3.3.  NSEC3 Salt
>> 
>>   The salt with NSEC3 is not used to increase the work required by an
>>   attacker attacking multiple domains, but as a method to enable
>>   creating a new set of hash values if at some point that might be
>>   required.  The salt is used as a "roll over".  The FQDN RRlabel,
>>   which is part of the value that is hashed, already ensures that brute
>>   force work for one RRlabel can not be re-used to attack other RRlabel
>>   due to their uniquenes.
>> 
>>   Key rollovers limit the amount of time attackers can spend on
>>   attacking a certain key before it is retired.  The salt serves the
>>   same purpose for the hashes, which are independant of the key being
>> 
>> 
>> 
>> Kolkman & Gieben        Expires September 8, 2009              [Page 33]
>> Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
>> 
>> 
>>   used, and therefor do not change when rolling over a key.  Changing
>>   the salt would cause an attacker to lose all precalculated work for
>>   that zone.
>> 
>>   The salt of all NSEC3 records in a zone needs to be the same.  Since
>>   changing the salt requires the NSEC3 records to be regenerated, and
>>   thus requires generating new RRSIG's over these NSEC3 records, it is
>>   recommended to only change the salt when changing the Zone Signing
>>   Key, as that process in itself already requires all RRSIG's to be
>>   regenerated.
> 
> "However, unlike Zone Signing Key changes, NSEC3 salt changes do not
> need special rollover procedures.  It is possible to change the salt
> each time the zone is updated."
> 

ACK




> (Assuming that this is true, which I think it is.)
> 
> Perhaps the following is helpful as well?
> 
> 5.3.5 Response size considerations
> 
> NSEC3 records are larger than NSEC records because of the embedded
> hashes.  However, NSEC records are sometimes returned in response to
> DO=0 queries, pushing the response over the 512 byte limit and causing
> TCP fallback (or worse).  This does not happen with NSEC3 records
> because their owner name does not normally match the queried name.
> Therefore, NSEC3 records provide better insulation of child zones from
> the DNSSEC deployment in the parent zone.


Isn't that only the case for QTYPE=ANY?  Or when the server at the authoritative side is broken? 

For both cases I do not think that this is a strong consideration. 


Also, but orthogonal,

At Labs we are about to measure the impact of the amount of NSEC3 iterations on a recursive nameserver. Maybe there are some additional considerations that flow from that, will keep you all posted.

--Olaf

________________________________________________________ 

Olaf M. Kolkman                        NLnet Labs
                                       Science Park 140, 
http://www.nlnetlabs.nl/               1098 XG Amsterdam

v2.23.0 | Report a Bug | By Email