Re: [DNSOP] Updated NSEC5 protocol spec and paper

Paul Wouters <paul@nohats.ca> Thu, 09 March 2017 20:30 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30F5B12947A for <dnsop@ietfa.amsl.com>; Thu, 9 Mar 2017 12:30:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id auST7bhrJkwy for <dnsop@ietfa.amsl.com>; Thu, 9 Mar 2017 12:30:19 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 260721293EE for <dnsop@ietf.org>; Thu, 9 Mar 2017 12:30:19 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3vfMTP5gjrz21P; Thu, 9 Mar 2017 21:30:17 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1489091417; bh=4NkPf7bxGD8Vo6gNUK98Ju49UP8TM15Age1hvYQJbsg=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=SY6vSYE+K7rTu1H0kx+6q0ubyLDcrePcO7ohfTk60MtauWpYFT72aSaMxHdjOWfFb 0eWM08BZa9gbfcJvuiKRbrYhxn5trDXOo9QKDe2oz6ny+RNJ4Gxm042ZvMX0Jm/vBa ZBKQip59hyJBssUxcQYbsbFn3BI5Q+/s4ZK3m29A=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id q1ej74j5wMKS; Thu, 9 Mar 2017 21:30:15 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 9 Mar 2017 21:30:15 +0100 (CET)
Received: from [192.168.2.130] (4daf9e5c.ftth.telfortglasvezel.nl [77.175.158.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id 6C5033943A1; Thu, 9 Mar 2017 15:30:14 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 6C5033943A1
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (1.0)
From: Paul Wouters <paul@nohats.ca>
X-Mailer: iPhone Mail (14D27)
In-Reply-To: <CFBF172D-FDD7-4DE1-B5C5-7C76A7792549@vpnc.org>
Date: Thu, 9 Mar 2017 21:30:12 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <5FEB0B80-D60D-4159-AED0-82FA7E10C949@nohats.ca>
References: <CAHPuVdXTcSaVcN6fBbPy3e=PgRvg8=GemSN_YFhzX387x8YW-A@mail.gmail.com> <CFBF172D-FDD7-4DE1-B5C5-7C76A7792549@vpnc.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/mHqiiKOnDB54K2K5dH41Z61Xt7M>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Subject: Re: [DNSOP] Updated NSEC5 protocol spec and paper
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2017 20:30:20 -0000


> On Mar 9, 2017, at 18:31, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> 
> The protocol described in draft-vcelak-nsec5 has improved since it was first presented, but it is still unclear why we should adopt it as part of DNSSEC. The benefits listed in the draft are real, but they come at a very steep cost for zone administrators who might use NSEC5.
> 
> Is there a community of zone admins who want this so much that they won't start signing until it exists?


> If not, adopting this seems like a bad idea.

I agree with this summary.

Paul