Re: [DNSOP] nsec3-parameters opinions gathered
Petr Špaček <pspacek@isc.org> Tue, 09 November 2021 09:11 UTC
Return-Path: <pspacek@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 876353A0C6E for <dnsop@ietfa.amsl.com>; Tue, 9 Nov 2021 01:11:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.449
X-Spam-Level:
X-Spam-Status: No, score=-5.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-3.33, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=PakGurJH; dkim=pass (1024-bit key) header.d=isc.org header.b=GcQ8KVtV
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XjY4gaT9IjKg for <dnsop@ietfa.amsl.com>; Tue, 9 Nov 2021 01:11:06 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 124483A0C2E for <dnsop@ietf.org>; Tue, 9 Nov 2021 01:11:05 -0800 (PST)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 38E9F4347E4; Tue, 9 Nov 2021 09:11:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1636449064; bh=69JulbNEP/J38RAFHhkTehImqN45uEjWsRIpSC3HY8o=; h=Date:From:To:Cc:References:Subject:In-Reply-To; b=PakGurJHZ1QiUtJwXlf20EtMyx7MIBL0ylOcHnIcXomjVOJJ7Q8K3SiINOjksRBT2 N3YHqfK8aLF/isYglJ7raBFuciATvOyN6DouEHOxT4rKPwC/mQLUk8r0YFda3lkjpO nz6FocD0V2mZJBAYzHLFSrNK6Pls7Ic015pafTOk=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 28E80F07F4C; Tue, 9 Nov 2021 09:11:04 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id F3860F07F52; Tue, 9 Nov 2021 09:11:03 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org F3860F07F52
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1636449064; bh=BSTQCyTNNV3o1acwolA4k8qWevOAJrvja+W30050RJM=; h=Message-ID:Date:MIME-Version:From:To; b=GcQ8KVtVrKgKggiCfuFMYtdxtPq5eyNfH0rF0XK9IoWhvdzvcUseFggYtCDUuJfnT 7Z4ggvR2Okxz5mVgyOS1tgnQPfkZsrIbSK2SVj7JDO6aKY81P3LGWWG6aDpb7kOshR SE5gEVaZ2q0s8A3pk37rlojdCNXwl4biX+bj9uzE=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id hOpVw7V3jnlv; Tue, 9 Nov 2021 09:11:03 +0000 (UTC)
Received: from [192.168.0.157] (ip-86-49-254-49.net.upcbroadband.cz [86.49.254.49]) by zimbrang.isc.org (Postfix) with ESMTPSA id 5A987F07F4C; Tue, 9 Nov 2021 09:11:03 +0000 (UTC)
Message-ID: <6a13b459-c52b-02e7-9390-3345581df8d1@isc.org>
Date: Tue, 09 Nov 2021 10:11:00 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.3.0
From: Petr Špaček <pspacek@isc.org>
To: Wes Hardaker <wjhns1@hardakers.net>
Cc: dnsop@ietf.org
References: <ybl7ddnr16f.fsf@w7.hardakers.net> <206e17b4-a920-8e3e-586d-ecc29855fae3@nic.cz> <45a10ca4-93e1-3c9c-7434-83c387d5246e@NLnetLabs.nl> <4254eece-a024-dbe4-3a64-a7ff957ce945@pletterpet.nl> <ec14099d-adfe-09ae-a06c-80cc2a1cf793@isc.org> <ybly25yojbw.fsf@w7.hardakers.net>
Content-Language: en-US
In-Reply-To: <ybly25yojbw.fsf@w7.hardakers.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dwQ0s-WOfMrstxNfvRtIThd8JZI>
Subject: Re: [DNSOP] nsec3-parameters opinions gathered
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2021 09:11:11 -0000
On 08. 11. 21 14:41, Wes Hardaker wrote: > Petr Špaček <pspacek@isc.org> writes: > > Thanks for the detail notes Petr, very helpful. > >> From my point of view the RFC does not need to stick to the value >> currently implemented in resolvers. > > Good point, and maybe the right phrasing I should have used should have > been "what value would implementations refuse to switch to"? Well, the answer is the same: For validators it's a moving target. A high value which was "necessary" yesterday might not be needed today because a large hoster moved on. > In part, I worry that code authors would object to having just changed > something and refused to change again. It seems like reports are > overcoming that problem though :-) > > [I'm not sure we're at zero yet...] Sure, but that's not the point. The value is ever-changing. As I see it, we can either: a) Specify _a_ value valid for November 2021 and produce a RFC with values not reliable beyond November 2021. b) Specify _the_ ultimate target which guarantees interoperability in future, and make it really clear in the text. I think the second option is much better, so let me try this approach. I'm proposing text along those lines: Addition for section > 3.1. Best-practice for zone publishe ---- Please note that any number of iterations larger than 0 carries risk of interoperability problems. Any zone using higher iterations counts is willingly signing up for problems. The reason for this is that DNSSEC responders and validators have to limit resource usage caused by excessive iteration values, and even very small numbers of iterations impose significant overhead, which motivates software vendors to drive the limit down to 0. ----- If we really wanted we could add an appendix with an illustrative table (with disclamer about being just ilustrative for one software version, point in time, hardware etc. etc.): | Iterations | QPS [% of 0 iterations QPS] | |------------|-----------------------------| | 0 | 100 % | | 10 | 89 % | | 20 | 82 % | | 50 | 64 % | | 100 | 47 % | | 150 | 38 % | If we wanted a simpler example we could say something like "at the time of this writing, mere 10 iterations caused over 10 % QPS drop on two popular authoritative server implementations". (As a sanity check I just tested Knot DNS and the impact there is very similar to what we see in the table about for BIND.) Honestly I don't think it's necessary. As for > 3.2. Recommendation for validating resolvers I don't see need to specify _a_ value here. I think better approach is acknowledge current state of things. What about something like this? --- As for November 2021, the limit of 150 iterations for treating answer as insecure is interoperable without significant problems, but at the same time it makes DoS attacks based on exhausting CPU resources three times cheaper when compared to 0 iterations. For this reason software vendors are expected to evaluate NSEC3 iteration counts seen in wild and lower their limits over time. --- What do you think about this approach? -- Petr Špaček
- [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] nsec3-parameters opinions gathered Miek Gieben
- Re: [DNSOP] nsec3-parameters opinions gathered Vladimír Čunát
- Re: [DNSOP] nsec3-parameters opinions gathered Benno Overeinder
- Re: [DNSOP] nsec3-parameters opinions gathered Olafur Gudmundsson
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni
- Re: [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] nsec3-parameters opinions gathered Miek Gieben
- Re: [DNSOP] nsec3-parameters opinions gathered Matthijs Mekking
- Re: [DNSOP] nsec3-parameters opinions gathered Petr Špaček
- Re: [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] [Ext] nsec3-parameters opinions gathe… Paul Hoffman
- Re: [DNSOP] nsec3-parameters opinions gathered A. Schulze
- Re: [DNSOP] [Ext] nsec3-parameters opinions gathe… Paul Vixie
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni
- Re: [DNSOP] nsec3-parameters opinions gathered Paul Wouters
- Re: [DNSOP] nsec3-parameters opinions gathered Mark Andrews
- Re: [DNSOP] nsec3-parameters opinions gathered Petr Špaček
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni
- Re: [DNSOP] nsec3-parameters opinions gathered Petr Špaček
- Re: [DNSOP] nsec3-parameters opinions gathered Michael Bauland
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni