Re: [DNSOP] draft-ietf-dnsop-nsec3-guidance: fresh iteration count stats

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 18 October 2021 05:02 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D2453A1102 for <dnsop@ietfa.amsl.com>; Sun, 17 Oct 2021 22:02:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CYB7FbhEjnyq for <dnsop@ietfa.amsl.com>; Sun, 17 Oct 2021 22:02:52 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51EA73A1107 for <dnsop@ietf.org>; Sun, 17 Oct 2021 22:02:52 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 9E09ED69DC; Mon, 18 Oct 2021 01:02:50 -0400 (EDT)
Date: Mon, 18 Oct 2021 01:02:50 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dnsop@ietf.org
Message-ID: <YWz/+sCHAI7P56Gt@straasha.imrryr.org>
Reply-To: dnsop@ietf.org
References: <163434063744.31980.3246351021399660138@ietfa.amsl.com> <YWz7h0bOD5Yw1iFH@straasha.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <YWz7h0bOD5Yw1iFH@straasha.imrryr.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/huKynATa8tonexefW7QGJVpug1Q>
Subject: Re: [DNSOP] draft-ietf-dnsop-nsec3-guidance: fresh iteration count stats
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Oct 2021 05:02:59 -0000

On Mon, Oct 18, 2021 at 12:43:51AM -0400, Viktor Dukhovni wrote:

> On Fri, Oct 15, 2021 at 04:30:37PM -0700, internet-drafts@ietf.org wrote:
> 
> > 	Filename        : draft-ietf-dnsop-nsec3-guidance-01.txt
> > 
> > Abstract:
> >    NSEC3 is a DNSSEC mechanism providing proof of non-existence by
> >    promising there are no names that exist between two domainnames
> >    within a zone.  Unlike its counterpart NSEC, NSEC3 avoids directly
> >    disclosing the bounding domainname pairs.  This document provides
> >    guidance on setting NSEC3 parameters based on recent operational
> >    deployment experience.
> 
> We were waiting for TransIP to complete the migration of their managed
> DNS domains from 100 iterations to 0, before collecting fresh NSEC3
> iteration count deployment statistics.
> 
> That has now been done, and the results are below:
> 
>   Zones successfully probed: 16,302,535
>   Zones using NSEC3:         12,460,057   76.4% (of signed zones)
>   Zones using opt-out:        1,162,869    9.3% (of NSEC3 zones)

Based on the stats it looks plausibly realistic to set the bar as low as
50 iterations, if there's a desire to urge the community to make a final
round of downward adjustments.  Or, else we could declare victory, the
recent encouragement to use 150 or less shows very good "compliance".
A middle ground might be to set the bar at 100.

The number of zones in the 21 to 50 range is 74,756 and there are
531,146 zones at 20.  So a maximally aggressive goal could be 20
or less, but would take more time and effort.

Bikeshed away!

There's a fairly small number of operators to persuade to reduce
iterations to 50 or less.  A comparatively small number of operators
revising their settings to 50 or less would reduce an already rather low
rate of domains with 51 or more iterations to essentially insignificant
levels:


  #zones  #iters     SOA mname
  ------------------------------------------------
    7979     100     root-dns.netcup.net
    2289     100     ns.nlhosting.net
    2162     100     ns1.core-networks.de
    1790     100     ns0-auth.businessconnect.nl
     748     100     ns0.transip.net
     689     100     ns1.nextpertise.nl
     575     100     ns1.acmeweb.nl
     459     100     nsa.perf1.fr
     449     100     a.dns-i.net
     434     100     ns10.kibernet.hu
     406     100     ns1.absolight.net
     256     100     ns1.isaac.nl
     202     100     ns1.codeforce.nl
     181     100     ns1.worldstream.nl
     124     100     ns1.metaname.net
      99     100     ns1.vshosting.cz
  ------------------------------------------------
   18842     100     out of 20,183 in all

  #zones  #iters     SOA mname
  ------------------------------------------------
    5810     150     ns1.mijnhostingpartner.nl
     234     150     ns1.inmoves.nl
     102     150     ns1-eu.123ns.eu
  ------------------------------------------------
    6146     150     out of 6351

  #zones  #iters     SOA mname
  ------------------------------------------------
      85     500     dfw-infma1.ext.ray.com
  ------------------------------------------------
      85     500     out of 101

-- 
    Viktor.