IETF Logo Mail Archive

Re: [DNSOP] Comments regarding the NSEC5

Ondřej Surý <ondrej.sury@nic.cz> Sun, 15 March 2015 16:48 UTC

Return-Path: <ondrej.sury@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 464E31A0358 for <dnsop@ietfa.amsl.com>; Sun, 15 Mar 2015 09:48:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.339
X-Spam-Level: **
X-Spam-Status: No, score=2.339 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_CZ=0.445, HOST_EQ_CZ=0.904, MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dj_zoAA81FEp for <dnsop@ietfa.amsl.com>; Sun, 15 Mar 2015 09:48:27 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72C981A01EC for <dnsop@ietf.org>; Sun, 15 Mar 2015 09:48:26 -0700 (PDT)
Received: from zimbra.rfc1925.org (calcifer.nic.cz [217.31.202.36]) by mail.nic.cz (Postfix) with ESMTP id CB21713FE3E; Sun, 15 Mar 2015 17:48:24 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nic.cz; s=default; t=1426438104; bh=thBoVhnpQneuztHQMy3tbaRXM17pYe9bySeqfJ9812M=; h=Date:From:To:Cc:Message-ID:In-Reply-To:References:Subject: MIME-Version:Content-Type:Content-Transfer-Encoding; b=TeLE6EjOGJHqL2FFRq7lT84GrFmiHVTUrDUZNRoLY0Rc2O5H1lh4k9wEKGxThi5lx jv5qK1AWFUU48WnJKtnHpR3QxG4Yjyzv4mdrsa3ycy/zReNj2Y+md3Kci3RkDeEiUC 7LXfxZxeWsuuVybFW/9+EXFk56vQqrvcbH1+bIFc=
Date: Sun, 15 Mar 2015 17:28:38 +0100
From: Ondřej Surý <ondrej.sury@nic.cz>
To: Florian Weimer <fweimer@redhat.com>
Message-ID: <684885656.26222.1426436918161.JavaMail.zimbra@nic.cz>
In-Reply-To: <55017AE5.3080103@redhat.com>
References: <55002098.5060709@redhat.com> <3070134.2yIek5FY2o@pc-cznic4> <55016B09.8080106@redhat.com> <5418135.fhyjAyNSf0@pc-cznic4> <55017AE5.3080103@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: [217.31.202.36]
X-Mailer: Zimbra 8.6.0_GA_1153 (ZimbraWebClient - GC41 (Win)/8.6.0_GA_1153)
Thread-Topic: Comments regarding the NSEC5
Thread-Index: +kosGHqUqth0pcPDBsRnp+uFboPhRA==
X-Virus-Scanned: clamav-milter 0.98.6 at mail
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/igmN6h6mMOan1kU57Hq1Aziqfag>
Cc: dnsop@ietf.org, Nicholas Weaver <nweaver@icsi.berkeley.edu>, Jan Včelák <jan.vcelak@nic.cz>
Subject: Re: [DNSOP] Comments regarding the NSEC5
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Mar 2015 16:48:29 -0000

JFTR I don't think the target audience is TLDs, but I have heard a several times speaking to me that they won't implement DNSSEC because of enumeration (citing djb's paper on NSEC3 offline enumeration).  Those folks are the target audience for the cryptographically proven anti-enumeration solution.

Cheers,
Ondrej

--
 Ondřej Surý -- Chief Science Officer
 --------------------------------------------
 CZ.NIC, z.s.p.o.    --     Laboratoře CZ.NIC
 Milesovska 5, 130 00 Praha 3, Czech Republic
 mailto:ondrej.sury@nic.cz    https://nic.cz/
 --------------------------------------------

----- Original Message -----
> From: "Florian Weimer" <fweimer@redhat.com>
> To: "Jan Včelák" <jan.vcelak@nic.cz>
> Cc: dnsop@ietf.org, "Nicholas Weaver" <nweaver@icsi.berkeley.edu>
> Sent: Thursday, March 12, 2015 12:39:17 PM
> Subject: Re: [DNSOP] Comments regarding the NSEC5

> On 03/12/2015 11:36 AM, Jan Včelák wrote:
> 
>>> And does anyone actually use opt out with NSEC3?
>> 
>> Yes, .com for example. My impression was that Opt-Out was the selling point of
>> NSEC3, not the domain name hashing.
> 
> Okay.  Are they interested in switching to NSEC5?
> 
> --
> Florian Weimer / Red Hat Product Security
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email