[DNSOP] Using NSEC3 for opt-out, was Re: Comments regarding the NSEC5
Edward Lewis <edward.lewis@icann.org> Thu, 12 March 2015 12:14 UTC
Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5840D1A0023 for <dnsop@ietfa.amsl.com>; Thu, 12 Mar 2015 05:14:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id srlh-AuV3zLM for <dnsop@ietfa.amsl.com>; Thu, 12 Mar 2015 05:14:49 -0700 (PDT)
Received: from out.west.pexch112.icann.org (pfe112-ca-2.pexch112.icann.org [64.78.40.10]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2501E1A0013 for <dnsop@ietf.org>; Thu, 12 Mar 2015 05:14:49 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.847.32; Thu, 12 Mar 2015 05:14:47 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.0847.030; Thu, 12 Mar 2015 05:14:47 -0700
From: Edward Lewis <edward.lewis@icann.org>
To: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: Using NSEC3 for opt-out, was Re: [DNSOP] Comments regarding the NSEC5
Thread-Index: AQHQXL4h5cwMj7IaF0ildxDMxfY5Xg==
Date: Thu, 12 Mar 2015 12:14:46 +0000
Message-ID: <D126F949.9B95%edward.lewis@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.8.150116
x-originating-ip: [192.0.47.235]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3508992882_1954257"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/oh12KG-rbKLd7MAc5q3yxx9-Jgo>
Subject: [DNSOP] Using NSEC3 for opt-out, was Re: Comments regarding the NSEC5
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2015 12:14:50 -0000
On 3/12/15, 6:31, "Florian Weimer" <fweimer@redhat.com> wrote: >And does anyone actually use opt out with NSEC3? Currently twenty-one TLDs use NSEC3 with 0 iterations and no salt. Nineteen more use no salt with more than 1 iteration. That's just a count of what's in the root zone delegations. I haven't asked if they all use NSEC3 for opt-out, but given those parameters and based on at least one private conversation with one of the operators, I'm sure these are 40 cases of zones using NSEC3 for it's opt-out capability. (Subsets of the 40 zones are operated by the same entity, so it's not necessarily 40 operators.)
- Re: [DNSOP] Using NSEC3 for opt-out, was Re: Comm… Ondřej Surý
- Re: [DNSOP] Using NSEC3 for opt-out, was Re: Comm… Ondřej Surý
- Re: [DNSOP] Using NSEC3 for opt-out, was Re: Comm… Patrik Fältström
- Re: [DNSOP] Using NSEC3 for opt-out, was Re: Comm… Patrik Fältström
- [DNSOP] Using NSEC3 for opt-out, was Re: Comments… Edward Lewis