Re: [DNSOP] Comments regarding the NSEC5
Paul Hoffman <paul.hoffman@vpnc.org> Wed, 11 March 2015 17:02 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC4D91A0194 for <dnsop@ietfa.amsl.com>; Wed, 11 Mar 2015 10:02:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.047
X-Spam-Level:
X-Spam-Status: No, score=-1.047 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eGc6bFQR1KQo for <dnsop@ietfa.amsl.com>; Wed, 11 Mar 2015 10:02:34 -0700 (PDT)
Received: from proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A136F1A1A4B for <dnsop@ietf.org>; Wed, 11 Mar 2015 10:02:33 -0700 (PDT)
Received: from [10.20.30.101] (50-1-99-2.dsl.dynamic.fusionbroadband.com [50.1.99.2]) (authenticated bits=0) by proper.com (8.15.1/8.14.9) with ESMTPSA id t2BH2WD6023322 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 Mar 2015 10:02:32 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: proper.com: Host 50-1-99-2.dsl.dynamic.fusionbroadband.com [50.1.99.2] claimed to be [10.20.30.101]
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <55006FC7.1030206@nic.cz>
Date: Wed, 11 Mar 2015 10:02:31 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <6A18EC55-81DC-4849-90A3-18F724208B19@vpnc.org>
References: <55002098.5060709@redhat.com> <55006AF8.4090500@nic.cz> <55006D98.7000300@redhat.com> <55006FC7.1030206@nic.cz>
To: Jan Včelák <jan.vcelak@nic.cz>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/b_DI54Vio2zL5lMzMgANOTg41Ro>
Cc: Florian Weimer <fweimer@redhat.com>, dnsop@ietf.org
Subject: Re: [DNSOP] Comments regarding the NSEC5
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2015 17:02:36 -0000
> On Mar 11, 2015, at 9:39 AM, Jan Včelák <jan.vcelak@nic.cz> wrote: > > On 11.3.2015 17:30, Florian Weimer wrote: >> On 03/11/2015 05:19 PM, Jan Včelák wrote: >> >>>> It's not clear if the security goals make sense. What do zone operators >>>> gain if zone enumeration attacks are moved from offline to online, other >>>> than a need to provision additional server capacity? It's not that they >>>> can block resolution requests from large resolvers if a part of their >>>> client population participates in aggressive enumeration. >>> >>> It dependes whether you see zone enumeration as a problem. >> >> If I really want to enumerate a zone, I will just send my dictionary as >> queries, possibly through open resolvers. People are reckless like >> that. At least with NSEC3, polite attackers can do some of the >> processing off-line, without punishing authoritative servers or >> resolvers. NSEC5 takes away that option. Do the existing enumerators >> care? Who knows. > > I really can't tell. I don't know. Proposal: until there is evidence that there is a community that needs the features of NSEC5 that cannot be easily replicated in NSEC3, this WG does not consider a protocol change that would require every resolver to be updated. --Paul Hoffman
- Re: [DNSOP] Comments regarding the NSEC5 Ondřej Surý
- Re: [DNSOP] Comments regarding the NSEC5 Jan Včelák
- Re: [DNSOP] Comments regarding the NSEC5 Jan Včelák
- Re: [DNSOP] Comments regarding the NSEC5 Bob Harold
- Re: [DNSOP] Comments regarding the NSEC5 Paul Hoffman
- Re: [DNSOP] Comments regarding the NSEC5 Paul Vixie
- Re: [DNSOP] Comments regarding the NSEC5 Edward Lewis
- Re: [DNSOP] Comments regarding the NSEC5 Jan Včelák
- Re: [DNSOP] Comments regarding the NSEC5 Jan Včelák
- Re: [DNSOP] Comments regarding the NSEC5 Paul Hoffman
- Re: [DNSOP] Comments regarding the NSEC5 Jan Včelák
- Re: [DNSOP] Comments regarding the NSEC5 Matthäus Wander
- Re: [DNSOP] Comments regarding the NSEC5 Warren Kumari
- Re: [DNSOP] Comments regarding the NSEC5 Paul Hoffman
- Re: [DNSOP] Comments regarding the NSEC5 Nicholas Weaver
- Re: [DNSOP] Comments regarding the NSEC5 Jan Včelák
- Re: [DNSOP] Comments regarding the NSEC5 Bob Harold
- Re: [DNSOP] Comments regarding the NSEC5 Jan Včelák
- Re: [DNSOP] Comments regarding the NSEC5 Jan Včelák
- Re: [DNSOP] Comments regarding the NSEC5 Bob Harold
- Re: [DNSOP] Comments regarding the NSEC5 Paul Wouters
- Re: [DNSOP] Comments regarding the NSEC5 Jan Včelák
- Re: [DNSOP] Comments regarding the NSEC5 Jan Včelák
- [DNSOP] Comments regarding the NSEC5 Florian Weimer
- Re: [DNSOP] Comments regarding the NSEC5 Florian Weimer
- Re: [DNSOP] Comments regarding the NSEC5 Jan Včelák
- Re: [DNSOP] Comments regarding the NSEC5 Jan Včelák
- Re: [DNSOP] Comments regarding the NSEC5 Nicholas Weaver
- Re: [DNSOP] Comments regarding the NSEC5 Paul Hoffman
- Re: [DNSOP] Comments regarding the NSEC5 Paul Wouters
- Re: [DNSOP] Comments regarding the NSEC5 Jan Včelák
- Re: [DNSOP] Comments regarding the NSEC5 Jan Včelák
- Re: [DNSOP] Comments regarding the NSEC5 Florian Weimer
- Re: [DNSOP] Comments regarding the NSEC5 Jan Včelák
- Re: [DNSOP] Comments regarding the NSEC5 Florian Weimer