Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.

Roy Arends <roy@dnss.ec> Tue, 23 February 2010 20:51 UTC

Return-Path: <roy@dnss.ec>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8EDD13A84EF for <dnsop@core3.amsl.com>; Tue, 23 Feb 2010 12:51:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.145
X-Spam-Level:
X-Spam-Status: No, score=-2.145 tagged_above=-999 required=5 tests=[AWL=0.104, BAYES_00=-2.599, HELO_EQ_SE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EJiNnM1DCTYw for <dnsop@core3.amsl.com>; Tue, 23 Feb 2010 12:51:11 -0800 (PST)
Received: from mail.schlyter.se (trinitario.schlyter.se [195.47.254.10]) by core3.amsl.com (Postfix) with ESMTP id 693B33A84A7 for <dnsop@ietf.org>; Tue, 23 Feb 2010 12:51:11 -0800 (PST)
Received: from [192.168.1.2] (unknown [201.238.130.129]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: roy) by mail.schlyter.se (Postfix) with ESMTPSA id 1887A2D4CC; Tue, 23 Feb 2010 21:53:11 +0100 (MET)
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset=us-ascii
From: Roy Arends <roy@dnss.ec>
In-Reply-To: <alpine.LFD.1.10.1002231038240.9909@newtla.xelerance.com>
Date: Tue, 23 Feb 2010 15:52:58 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <D1E67D3C-9E30-4A86-A2B0-B5D2BF9930F9@dnss.ec>
References: <200904282021.n3SKL3sg051528@givry.fdupont.fr> <59A58419-FDBD-4810-B2FA-0D293FFA00A5@NLnetLabs.nl> <alpine.LFD.1.10.1001211245180.12114@newtla.xelerance.com> <1AEAE091-2EB3-41DC-A51B-8DD49C10FAD5@NLnetLabs.nl> <24C8A8E2A81760E31D4CDE4A@Ximines.local> <8E6C64ED-A336-4E8B-996F-9FB471EB07C6@NLnetLabs.nl> <4B7FE58C.5030605@ogud.com> <20100220202751.GB54720@shinkuro.com> <20100220213133.GE2477@isc.org> <4B807DC0.9050807@ogud.com> <315AD36E-879A-4512-A6A8-B64372E3D3CF@sinodun.com> <201002220022.o1M0M3qR048760@drugs.dv.isc.org> <A8EB3AAE-0DA6-4C4E-B2D1-E548884F63D5@dnss.ec> <4B8251E9.70904@nlnetlabs.nl> <699B9362-B927-4148-B79E-2AEB6D713BE8@dnss.ec> <4B835E71.1070802@dougbarton.us> <alpine.LFD.1.10.1002231038240.9909@newtla.xelerance.com>
To: Doug Barton <dougb@dougbarton.us>
X-Mailer: Apple Mail (2.1077)
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2010 20:51:12 -0000

On Feb 23, 2010, at 10:40 AM, Paul Wouters wrote:

> On Mon, 22 Feb 2010, Doug Barton wrote:
> 
>> On 02/22/10 05:14, Roy Arends wrote:
>>> On Feb 22, 2010, at 4:44 AM, W.C.A. Wijngaards wrote:
>>>> The deployment of NSEC3-signed toplevel domains is a giant hash
>>>> collision test of typo dictionaries.
>>> 
>>> Not really, most (will) use Opt-Out.
>> 
>> Has anyone done a side-by-side comparison of nsec/nsec3 +/- opt-out with
>> the benefits and drawbacks of each? If such a document already exists
>> and I've just missed it my apologies.
> 
> Not that I know of, but for a TLD of 1.2M entries, we decided to use
> NSEC3 without optout. To the signer machine, there is not that much
> difference, especially when you take in signature re-use. So apart
> from the 10M+ zones, I don't really see the use of optout much. Unless
> your nameservers are old 32bit hardware and stuck with 3GB per bind process.

Hi Doug,

We (Nominet UK) operate on a register of over 8M names, distributed over several second level domains, of which co.uk is by far the largest. For us, NSEC3 is the default. We decided to stay away from NSEC on all delegation centric zones we operate, including the UK top level domain.

Staying away from NSEC will keep our zones lightweight and flexible, considering we dynamically update them by the minute. Due to OptOut, the resulting DNSSEC overhead in terms of size, incremental zone transfers, occasional full zone transfers, memory footprint, CPU usage, etc, are negligible. I don't really see the benefit of using NSEC. Too much redundant crypto and name leakage in NSEC in light of no real benefits. 

Kind Regards

Roy