IETF Logo Mail Archive

Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.

John Dickinson <jad@sinodun.com> Sun, 21 February 2010 18:14 UTC

Return-Path: <jad@sinodun.com>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C3ACA3A76B7 for <dnsop@core3.amsl.com>; Sun, 21 Feb 2010 10:14:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H1TeJ0wmNAgz for <dnsop@core3.amsl.com>; Sun, 21 Feb 2010 10:14:38 -0800 (PST)
Received: from cpanelsmarthost1.zen.co.uk (cpanelsmarthost1.zen.co.uk [82.71.204.225]) by core3.amsl.com (Postfix) with ESMTP id D8C4F3A76B1 for <dnsop@ietf.org>; Sun, 21 Feb 2010 10:14:37 -0800 (PST)
Received: from [88.98.24.67] (helo=shcp01.hosting.zen.net.uk) by cpanelsmarthost1.zen.co.uk with esmtp (Exim 4.69) (envelope-from <jad@sinodun.com>) id 1NjGM4-0004WP-06 for dnsop@ietf.org; Sun, 21 Feb 2010 18:16:32 +0000
Received: from [193.82.161.205] (helo=andromeda.sinodun.com) by shcp01.hosting.zen.net.uk with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from <jad@sinodun.com>) id 1NjGM0-0004b8-Fx; Sun, 21 Feb 2010 18:16:28 +0000
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
From: John Dickinson <jad@sinodun.com>
In-Reply-To: <4B807DC0.9050807@ogud.com>
Date: Sun, 21 Feb 2010 18:16:21 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <315AD36E-879A-4512-A6A8-B64372E3D3CF@sinodun.com>
References: <200904282021.n3SKL3sg051528@givry.fdupont.fr> <59A58419-FDBD-4810-B2FA-0D293FFA00A5@NLnetLabs.nl> <alpine.LFD.1.10.1001211245180.12114@newtla.xelerance.com> <1AEAE091-2EB3-41DC-A51B-8DD49C10FAD5@NLnetLabs.nl> <24C8A8E2A81760E31D4CDE4A@Ximines.local> <8E6C64ED-A336-4E8B-996F-9FB471EB07C6@NLnetLabs.nl> <4B7FE58C.5030605@ogud.com> <20100220202751.GB54720@shinkuro.com> <20100220213133.GE2477@isc.org> <4B807DC0.9050807@ogud.com>
To: dnsop WG <dnsop@ietf.org>
X-Mailer: Apple Mail (2.1077)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - shcp01.hosting.zen.net.uk
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - sinodun.com
X-Mailman-Approved-At: Sun, 21 Feb 2010 10:35:51 -0800
Cc: Olaf Kolkman <olaf@NLnetLabs.nl>
Subject: Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Feb 2010 18:16:20 -0000

Hi,

It might also be worth adding a line at the start reminding of the need for NSEC and NSEC3 - namely that the signing and serving of the zone are separate operations and that it is therefore necessry to create records that cover the very large number of non-existent names that lie between the names that do exist.

NSEC and NSEC3 are just different ways to achieve this goal and some people might prefer one above the other. One is NOT better than the other and it is a matter of operational needs that determine which one you select.

It may also be worth removing the mention of cryptographic operations. The hashing in NSEC3 is just a way to create new names that cover the same spaces. I imagine that many other schemes could have been dreamt up to do this. Hashing is just a convenient method.

John

v2.23.0 | Report a Bug | By Email