IETF Logo Mail Archive

Re: [DNSOP] wrapping up draft-ietf-dnsop-nsec3-guidance

Peter van Dijk <peter.van.dijk@powerdns.com> Thu, 21 October 2021 11:22 UTC

Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 730B83A0FD8 for <dnsop@ietfa.amsl.com>; Thu, 21 Oct 2021 04:22:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R53EIwo_BkHR for <dnsop@ietfa.amsl.com>; Thu, 21 Oct 2021 04:22:29 -0700 (PDT)
Received: from mx3.open-xchange.com (mx3.open-xchange.com [87.191.57.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FB343A1533 for <dnsop@ietf.org>; Thu, 21 Oct 2021 04:22:28 -0700 (PDT)
Received: from imap.open-xchange.com (imap.open-xchange.com [86.85.149.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx3.open-xchange.com (Postfix) with ESMTPSA id AA32A6A0CB; Thu, 21 Oct 2021 13:22:25 +0200 (CEST)
Received: from plato ([86.85.149.247]) by imap.open-xchange.com with ESMTPSA id dkagKHFNcWGeYwAA3c6Kzw (envelope-from <peter.van.dijk@powerdns.com>); Thu, 21 Oct 2021 13:22:25 +0200
Message-ID: <93d5b9013bde0b3bdbfbefc9343f200a2a7e40ea.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: dnsop@ietf.org
Date: Thu, 21 Oct 2021 13:22:25 +0200
In-Reply-To: <yblh7db366o.fsf@w7.hardakers.net>
References: <yblh7db366o.fsf@w7.hardakers.net>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/n5N5sAC82Enoajcdr1s-iGs7Yis>
Subject: Re: [DNSOP] wrapping up draft-ietf-dnsop-nsec3-guidance
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Oct 2021 11:22:35 -0000

On Wed, 2021-10-20 at 11:24 -0700, Wes Hardaker wrote:
> So, the question: what's the right FINAL value to put in the draft
> before LC?

I don't know what the -right- value is, but I know what I want: 0 iterations, empty salt, otherwise the NSEC3 gets ignored, presumably leading to SERVFAIL. This removes the 'insecure' window completely.

So, I'll support any push to lower the numbers.

Editorial nit, already hinted at above: the text currently has "Validating resolvers MAY return SERVFAIL when processing NSEC3 records with iterations larger than 500." - I suggest changing this to "validating resolvers MAY ignore NSEC3 records with iterations larger than 500". That way, zones in the middle of a transition from 1000 to 0 iterations do not get punished. Zones at 1000, not in a transition, will still get SERVFAIL by virtue of the NSEC3 proof missing (because it is ignored).

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

v2.23.0 | Report a Bug | By Email