Re: [DNSOP] draft-ietf-dnsop-nsec3-guidance: fresh iteration count stats
Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 18 October 2021 05:02 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D2453A1102 for <dnsop@ietfa.amsl.com>; Sun, 17 Oct 2021 22:02:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CYB7FbhEjnyq for <dnsop@ietfa.amsl.com>; Sun, 17 Oct 2021 22:02:52 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51EA73A1107 for <dnsop@ietf.org>; Sun, 17 Oct 2021 22:02:52 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 9E09ED69DC; Mon, 18 Oct 2021 01:02:50 -0400 (EDT)
Date: Mon, 18 Oct 2021 01:02:50 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dnsop@ietf.org
Message-ID: <YWz/+sCHAI7P56Gt@straasha.imrryr.org>
Reply-To: dnsop@ietf.org
References: <163434063744.31980.3246351021399660138@ietfa.amsl.com> <YWz7h0bOD5Yw1iFH@straasha.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <YWz7h0bOD5Yw1iFH@straasha.imrryr.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/huKynATa8tonexefW7QGJVpug1Q>
Subject: Re: [DNSOP] draft-ietf-dnsop-nsec3-guidance: fresh iteration count stats
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Oct 2021 05:02:59 -0000
On Mon, Oct 18, 2021 at 12:43:51AM -0400, Viktor Dukhovni wrote: > On Fri, Oct 15, 2021 at 04:30:37PM -0700, internet-drafts@ietf.org wrote: > > > Filename : draft-ietf-dnsop-nsec3-guidance-01.txt > > > > Abstract: > > NSEC3 is a DNSSEC mechanism providing proof of non-existence by > > promising there are no names that exist between two domainnames > > within a zone. Unlike its counterpart NSEC, NSEC3 avoids directly > > disclosing the bounding domainname pairs. This document provides > > guidance on setting NSEC3 parameters based on recent operational > > deployment experience. > > We were waiting for TransIP to complete the migration of their managed > DNS domains from 100 iterations to 0, before collecting fresh NSEC3 > iteration count deployment statistics. > > That has now been done, and the results are below: > > Zones successfully probed: 16,302,535 > Zones using NSEC3: 12,460,057 76.4% (of signed zones) > Zones using opt-out: 1,162,869 9.3% (of NSEC3 zones) Based on the stats it looks plausibly realistic to set the bar as low as 50 iterations, if there's a desire to urge the community to make a final round of downward adjustments. Or, else we could declare victory, the recent encouragement to use 150 or less shows very good "compliance". A middle ground might be to set the bar at 100. The number of zones in the 21 to 50 range is 74,756 and there are 531,146 zones at 20. So a maximally aggressive goal could be 20 or less, but would take more time and effort. Bikeshed away! There's a fairly small number of operators to persuade to reduce iterations to 50 or less. A comparatively small number of operators revising their settings to 50 or less would reduce an already rather low rate of domains with 51 or more iterations to essentially insignificant levels: #zones #iters SOA mname ------------------------------------------------ 7979 100 root-dns.netcup.net 2289 100 ns.nlhosting.net 2162 100 ns1.core-networks.de 1790 100 ns0-auth.businessconnect.nl 748 100 ns0.transip.net 689 100 ns1.nextpertise.nl 575 100 ns1.acmeweb.nl 459 100 nsa.perf1.fr 449 100 a.dns-i.net 434 100 ns10.kibernet.hu 406 100 ns1.absolight.net 256 100 ns1.isaac.nl 202 100 ns1.codeforce.nl 181 100 ns1.worldstream.nl 124 100 ns1.metaname.net 99 100 ns1.vshosting.cz ------------------------------------------------ 18842 100 out of 20,183 in all #zones #iters SOA mname ------------------------------------------------ 5810 150 ns1.mijnhostingpartner.nl 234 150 ns1.inmoves.nl 102 150 ns1-eu.123ns.eu ------------------------------------------------ 6146 150 out of 6351 #zones #iters SOA mname ------------------------------------------------ 85 500 dfw-infma1.ext.ray.com ------------------------------------------------ 85 500 out of 101 -- Viktor.
- [DNSOP] I-D Action: draft-ietf-dnsop-nsec3-guidan… internet-drafts
- Re: [DNSOP] draft-ietf-dnsop-nsec3-guidance: fres… Viktor Dukhovni
- [DNSOP] draft-ietf-dnsop-nsec3-guidance: fresh it… Viktor Dukhovni
- Re: [DNSOP] draft-ietf-dnsop-nsec3-guidance: fres… Viktor Dukhovni
- Re: [DNSOP] draft-ietf-dnsop-nsec3-guidance: fres… Viktor Dukhovni