Re: [DNSOP] nsec3-parameters opinions gathered
Petr Špaček <pspacek@isc.org> Mon, 08 November 2021 11:07 UTC
Return-Path: <pspacek@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62F963A0B42 for <dnsop@ietfa.amsl.com>; Mon, 8 Nov 2021 03:07:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.429
X-Spam-Level:
X-Spam-Status: No, score=-5.429 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-3.33, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=Uy2BhyUp; dkim=pass (1024-bit key) header.d=isc.org header.b=fwTCoimj
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jJlLTcFLQXVe for <dnsop@ietfa.amsl.com>; Mon, 8 Nov 2021 03:07:31 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A383E3A0B19 for <dnsop@ietf.org>; Mon, 8 Nov 2021 03:07:31 -0800 (PST)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 1D9CE433F2A for <dnsop@ietf.org>; Mon, 8 Nov 2021 11:07:30 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1636369650; bh=G5TD/rlhKgvM+nkwH+8s26Eh75bgZR9LcMz9bglysC0=; h=Date:From:To:References:Subject:In-Reply-To; b=Uy2BhyUpC/G1ooenoetxN9UpX8L4HWYhIqAhB1ugt67BFxWWyXFy/quWNtE7DXdiT xckVoF9D1hNE1FaKM/bbpyJd4P/VcACCajfXSYSrCaMolyyI1Tl1F7R7YRIguN7jzn ZdKLmmfvq/1nEuAtrydyCxsaxIcqndijWBGN8FNI=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 15231F0766A for <dnsop@ietf.org>; Mon, 8 Nov 2021 11:07:30 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id E0EDEF0766E for <dnsop@ietf.org>; Mon, 8 Nov 2021 11:07:29 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org E0EDEF0766E
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1636369649; bh=v9a7z5COPgPrPhS24DuwGZlgwm2ucf7/2uh1P85gheo=; h=Message-ID:Date:MIME-Version:From:To; b=fwTCoimjwN+kuXIhFCb9tNydqB+OD1PjZKjpIBgn/IcIKJ1EoES4GkbfGpQOWEGqY k7SvGKk0JgLj/7UlyMNRnFICnygw/CzcOJggREiH+sULKCv9BASJfdkTRYV22in08F M9INTHHmig3nLIPoNLXelnNZa6+zIhCWnl45UAn8=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Z0rHY-SXGC1x for <dnsop@ietf.org>; Mon, 8 Nov 2021 11:07:29 +0000 (UTC)
Received: from [192.168.0.157] (ip-86-49-254-49.net.upcbroadband.cz [86.49.254.49]) by zimbrang.isc.org (Postfix) with ESMTPSA id 718D3F0766A for <dnsop@ietf.org>; Mon, 8 Nov 2021 11:07:29 +0000 (UTC)
Content-Type: multipart/mixed; boundary="------------TkZmaPdsdXrqOMpsC51SZDMg"
Message-ID: <ec14099d-adfe-09ae-a06c-80cc2a1cf793@isc.org>
Date: Mon, 08 Nov 2021 12:07:27 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.3.0
From: Petr Špaček <pspacek@isc.org>
To: dnsop@ietf.org
References: <ybl7ddnr16f.fsf@w7.hardakers.net> <206e17b4-a920-8e3e-586d-ecc29855fae3@nic.cz> <45a10ca4-93e1-3c9c-7434-83c387d5246e@NLnetLabs.nl> <4254eece-a024-dbe4-3a64-a7ff957ce945@pletterpet.nl>
Content-Language: en-US
In-Reply-To: <4254eece-a024-dbe4-3a64-a7ff957ce945@pletterpet.nl>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/yXhrjncNvbPBqqoF_fIdX-CZjuw>
Subject: Re: [DNSOP] nsec3-parameters opinions gathered
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Nov 2021 11:07:38 -0000
On 08. 11. 21 9:34, Matthijs Mekking wrote: > I concur with Benno. > > For Bind 9, there is no technical challenge to set the iteration cap at > a lower value. > > We prefer the value to be as low as possible, because it adds no real > value at a real resource cost. > > But we will likely not implement blindly a maximum that will cause lots > of operational problems. TL;DR I say we should go for 0 and acknowledge in the text we are not there yet. A longer version, With Measurement Inside (tm): From my point of view the RFC does not need to stick to the value currently implemented in resolvers. IMHO the technically "hard" part is implementing limits at all, and understanding their impact. I would loudly object to publishing the text before the mechanism have been implemented and tested in wild, but we are now past this phase. I.e. we already now it is feasible to implement, and that reasonably high values work well in practice. The specific value is quite obviously a moving target, so I think it is appropriate to acknowledge that in the text. I propose to say something along those lines: - resolvers use 150 iterations as insecure limit as of November 2021 - resolvers are expected to gradually lower the limit to 0 over time, so don't do stupid things and use 0 right away That's factually correct and also provides us with a stick to beat outliers. To make this debate more informed, let's have a quick glance on real performance impact of NSEC3 iterations. This is measured against BIND 9.17.19 as an authoritative server. In all cases the server was CPU-bound and we compare average QPS | Iterations | QPS [% of 0 iterations QPS] | |------------|-----------------------------| | 0 | 100 % | | 10 | 89 % | | 20 | 82 % | | 50 | 64 % | | 100 | 47 % | | 150 | 38 % | That's means that even 100 iterations is a huge waste of resources, where half of the QPS is sacrificed to mindless NSEC3 iterations. So again, I say we should go for 0 and acknowledge in the text we are not there yet. ------ Here is my crude test setup so people can reproduce it themselves, possibly with different software: * $ cat named.conf zone "." { type primary; file "root.zone.signed"; }; * input zone: root zone SOA serial 2021012701 * keys: dnssec-keygen -K . -a ECDSAP256SHA256 . dnssec-keygen -K . -a ECDSAP256SHA256 -f KSK . * signed with: # example with no salt, 0 iterations dnssec-signzone -u -3 - -H 0 -S -o . root.zone * BIND started with: named -g -c named.conf -n 1 * numbers below are from a far-from-perfect laptop setup, so some instability is to be expected; here are some basic tweaks for Intel hardware: echo 1 > /sys/devices/system/cpu/intel_pstate/no_turbo cpupower frequency-set -g performance cpupower frequency-set --min 2.4G --max 2.4G * perf tested with: yes 'blabla. A' | dnsperf -D -s localhost -l 20 -S 1 A crude measurement script is attached. To get raw numbers run: fgrep -H 'per second' iter* | sed -e 's/:[^:]*nd:/:/' More detailed results in a table: | Iterations | Min - qps | Median - qps | Average - qps | Max - qps | StDev - qps | stdev [% of avg] | % of 0 iterations qps avg | |------------|-----------|--------------|---------------|-----------|-------------|------------------|---------------------------| | 0 | 19 910 | 22 289 | 21 881 | 22 937 | 994 | 5 % | 100 % | | 10 | 18 078 | 19 333 | 19 367 | 20 278 | 843 | 4 % | 89 % | | 20 | 16 947 | 18 167 | 17 982 | 18 289 | 419 | 2 % | 82 % | | 50 | 13 483 | 14 225 | 14 021 | 14 385 | 395 | 3 % | 64 % | | 100 | 9 922 | 10 426 | 10 371 | 10 573 | 212 | 2 % | 47 % | | 150 | 7 962 | 8 315 | 8 270 | 8 320 | 112 | 1 % | 38 % | Now I can only hope the tables survive transit. -- Petr Špaček @ ISC
- [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] nsec3-parameters opinions gathered Miek Gieben
- Re: [DNSOP] nsec3-parameters opinions gathered Vladimír Čunát
- Re: [DNSOP] nsec3-parameters opinions gathered Benno Overeinder
- Re: [DNSOP] nsec3-parameters opinions gathered Olafur Gudmundsson
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni
- Re: [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] nsec3-parameters opinions gathered Miek Gieben
- Re: [DNSOP] nsec3-parameters opinions gathered Matthijs Mekking
- Re: [DNSOP] nsec3-parameters opinions gathered Petr Špaček
- Re: [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] nsec3-parameters opinions gathered Wes Hardaker
- Re: [DNSOP] [Ext] nsec3-parameters opinions gathe… Paul Hoffman
- Re: [DNSOP] nsec3-parameters opinions gathered A. Schulze
- Re: [DNSOP] [Ext] nsec3-parameters opinions gathe… Paul Vixie
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni
- Re: [DNSOP] nsec3-parameters opinions gathered Paul Wouters
- Re: [DNSOP] nsec3-parameters opinions gathered Mark Andrews
- Re: [DNSOP] nsec3-parameters opinions gathered Petr Špaček
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni
- Re: [DNSOP] nsec3-parameters opinions gathered Petr Špaček
- Re: [DNSOP] nsec3-parameters opinions gathered Michael Bauland
- Re: [DNSOP] nsec3-parameters opinions gathered Viktor Dukhovni