IETF Logo Mail Archive

Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.

bmanning@vacation.karoshi.com Thu, 28 January 2010 21:36 UTC

Return-Path: <bmanning@karoshi.com>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9EA463A6804 for <dnsop@core3.amsl.com>; Thu, 28 Jan 2010 13:36:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zHBBhcdUvUrt for <dnsop@core3.amsl.com>; Thu, 28 Jan 2010 13:36:19 -0800 (PST)
Received: from vacation.karoshi.com (vacation.karoshi.com [198.32.6.68]) by core3.amsl.com (Postfix) with ESMTP id 91B483A68A9 for <dnsop@ietf.org>; Thu, 28 Jan 2010 13:36:19 -0800 (PST)
Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com. (8.12.8/8.12.8) with ESMTP id o0O4UCf9010938; Sun, 24 Jan 2010 04:30:12 GMT
Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id o0O4U1bw010936; Sun, 24 Jan 2010 04:30:01 GMT
Date: Sun, 24 Jan 2010 04:30:01 +0000
From: bmanning@vacation.karoshi.com
To: Matt Larson <mlarson@verisign.com>
Message-ID: <20100124043001.GC4231@vacation.karoshi.com.>
References: <200904282021.n3SKL3sg051528@givry.fdupont.fr> <59A58419-FDBD-4810-B2FA-0D293FFA00A5@NLnetLabs.nl> <alpine.LFD.1.10.1001211245180.12114@newtla.xelerance.com> <1AEAE091-2EB3-41DC-A51B-8DD49C10FAD5@NLnetLabs.nl> <24C8A8E2A81760E31D4CDE4A@Ximines.local> <alpine.LFD.1.10.1001221446090.24208@newtla.xelerance.com> <D6C3D7B5FE44C580F05A1673@nimrod.local> <alpine.LFD.1.10.1001221854270.24908@newtla.xelerance.com> <20100124010017.GJ35464@sirocco.local>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20100124010017.GJ35464@sirocco.local>
User-Agent: Mutt/1.4.1i
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jan 2010 21:36:20 -0000

On Sat, Jan 23, 2010 at 08:00:17PM -0500, Matt Larson wrote:
> On Fri, 22 Jan 2010, Paul Wouters wrote:
> > On Fri, 22 Jan 2010, Alex Bligh wrote:
> >> I meant computational resource requirements resultant from crypto
> >> operations, not algorithmic complexity.
> >
> > I had no problems doing this on a 1.2M domains TLD zone, using off the
> > shelf hardware, integrating into the TLD's hourly update interval.
> > (http://www.cira.ca/dnssec/)
> 
> Try 100M delegations, updated every 15 seconds, and sending the
> resulting large non-Opt-out zone to places with poor connectivity such
> as Nairobi, Kenya.
> 
> Arguments such as "I did it on once on commodity hardware with freely
> available tools" or "you can implement that in an afternoon" do not
> transfer well to large, critically important TLDs (or any large-scale,
> critical service).
> 
> Matt

	to be honest, there are a few more delegation points that fit the
	1.xM domains using cots technology than there are delegations that
	have delegations with 100M+ entries and running dynamic udates.

	on more than one occasion (perhaps first at the IETF in SLC) I have
	heard folks who would like the business model of such a delegation 
	refer to it as "a goiter on the neck of the DNS" in envy.

--bill

v2.23.0 | Report a Bug | By Email