From nobody Mon Nov  8 03:07:40 2021
Return-Path: <pspacek@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 62F963A0B42
 for <dnsop@ietfa.amsl.com>; Mon,  8 Nov 2021 03:07:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.429
X-Spam-Level: 
X-Spam-Status: No, score=-5.429 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-3.33,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
 autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
 header.d=isc.org header.b=Uy2BhyUp;
 dkim=pass (1024-bit key)
 header.d=isc.org header.b=fwTCoimj
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id jJlLTcFLQXVe for <dnsop@ietfa.amsl.com>;
 Mon,  8 Nov 2021 03:07:31 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id A383E3A0B19
 for <dnsop@ietf.org>; Mon,  8 Nov 2021 03:07:31 -0800 (PST)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx.pao1.isc.org (Postfix) with ESMTPS id 1D9CE433F2A
 for <dnsop@ietf.org>; Mon,  8 Nov 2021 11:07:30 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay;
 t=1636369650; bh=G5TD/rlhKgvM+nkwH+8s26Eh75bgZR9LcMz9bglysC0=;
 h=Date:From:To:References:Subject:In-Reply-To;
 b=Uy2BhyUpC/G1ooenoetxN9UpX8L4HWYhIqAhB1ugt67BFxWWyXFy/quWNtE7DXdiT
 xckVoF9D1hNE1FaKM/bbpyJd4P/VcACCajfXSYSrCaMolyyI1Tl1F7R7YRIguN7jzn
 ZdKLmmfvq/1nEuAtrydyCxsaxIcqndijWBGN8FNI=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1])
 by zimbrang.isc.org (Postfix) with ESMTPS id 15231F0766A
 for <dnsop@ietf.org>; Mon,  8 Nov 2021 11:07:30 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1])
 by zimbrang.isc.org (Postfix) with ESMTP id E0EDEF0766E
 for <dnsop@ietf.org>; Mon,  8 Nov 2021 11:07:29 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org E0EDEF0766E
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org;
 s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1636369649;
 bh=v9a7z5COPgPrPhS24DuwGZlgwm2ucf7/2uh1P85gheo=;
 h=Message-ID:Date:MIME-Version:From:To;
 b=fwTCoimjwN+kuXIhFCb9tNydqB+OD1PjZKjpIBgn/IcIKJ1EoES4GkbfGpQOWEGqY
 k7SvGKk0JgLj/7UlyMNRnFICnygw/CzcOJggREiH+sULKCv9BASJfdkTRYV22in08F
 M9INTHHmig3nLIPoNLXelnNZa6+zIhCWnl45UAn8=
Received: from zimbrang.isc.org ([127.0.0.1])
 by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id Z0rHY-SXGC1x for <dnsop@ietf.org>;
 Mon,  8 Nov 2021 11:07:29 +0000 (UTC)
Received: from [192.168.0.157] (ip-86-49-254-49.net.upcbroadband.cz
 [86.49.254.49])
 by zimbrang.isc.org (Postfix) with ESMTPSA id 718D3F0766A
 for <dnsop@ietf.org>; Mon,  8 Nov 2021 11:07:29 +0000 (UTC)
Content-Type: multipart/mixed; boundary="------------TkZmaPdsdXrqOMpsC51SZDMg"
Message-ID: <ec14099d-adfe-09ae-a06c-80cc2a1cf793@isc.org>
Date: Mon, 8 Nov 2021 12:07:27 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.3.0
From: =?UTF-8?B?UGV0ciDFoHBhxI1law==?= <pspacek@isc.org>
To: dnsop@ietf.org
References: <ybl7ddnr16f.fsf@w7.hardakers.net>
 <206e17b4-a920-8e3e-586d-ecc29855fae3@nic.cz>
 <45a10ca4-93e1-3c9c-7434-83c387d5246e@NLnetLabs.nl>
 <4254eece-a024-dbe4-3a64-a7ff957ce945@pletterpet.nl>
Content-Language: en-US
In-Reply-To: <4254eece-a024-dbe4-3a64-a7ff957ce945@pletterpet.nl>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/yXhrjncNvbPBqqoF_fIdX-CZjuw>
Subject: Re: [DNSOP] nsec3-parameters opinions gathered
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>,
 <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
 <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Nov 2021 11:07:38 -0000

This is a multi-part message in MIME format.
--------------TkZmaPdsdXrqOMpsC51SZDMg
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable


On 08. 11. 21 9:34, Matthijs Mekking wrote:
> I concur with Benno.
>=20
> For Bind 9, there is no technical challenge to set the iteration cap at
> a lower value.
>=20
> We prefer the value to be as low as possible, because it adds no real
> value at a real resource cost.
>=20
> But we will likely not implement blindly a maximum that will cause lots
> of operational problems.

TL;DR
I say we should go for 0 and acknowledge in the text we are not there yet=
.


A longer version, With Measurement Inside (tm):

 From my point of view the RFC does not need to stick to the value=20
currently implemented in resolvers.

IMHO the technically "hard" part is implementing limits at all, and=20
understanding their impact. I would loudly object to publishing the text=20
before the mechanism have been implemented and tested in wild, but we=20
are now past this phase. I.e. we already now it is feasible to=20
implement, and that reasonably high values work well in practice.

The specific value is quite obviously a moving target, so I think it is=20
appropriate to acknowledge that in the text. I propose to say something=20
along those lines:

- resolvers use 150 iterations as insecure limit as of November 2021
- resolvers are expected to gradually lower the limit to 0 over time, so=20
don't do stupid things and use 0 right away

That's factually correct and also provides us with a stick to beat outlie=
rs.


To make this debate more informed, let's have a quick glance on real=20
performance impact of NSEC3 iterations.

This is measured against BIND 9.17.19 as an authoritative server. In all=20
cases the server was CPU-bound and we compare average QPS

| Iterations | QPS [% of 0 iterations QPS] |
|------------|-----------------------------|
| 0          | 100 %                       |
| 10         | 89 %                        |
| 20         | 82 %                        |
| 50         | 64 %                        |
| 100        | 47 %                        |
| 150        | 38 %                        |

That's means that even 100 iterations is a huge waste of resources,=20
where half of the QPS is sacrificed to mindless NSEC3 iterations.

So again, I say we should go for 0 and acknowledge in the text we are=20
not there yet.

------

Here is my crude test setup so people can reproduce it themselves,=20
possibly with different software:

* $ cat named.conf
zone "." {
	type primary;
	file "root.zone.signed";
};

* input zone: root zone SOA serial 2021012701
* keys:
dnssec-keygen -K . -a ECDSAP256SHA256 .
dnssec-keygen -K . -a ECDSAP256SHA256 -f KSK .

* signed with:
# example with no salt, 0 iterations
dnssec-signzone -u -3 - -H 0 -S -o . root.zone

* BIND started with:
named -g -c named.conf -n 1

* numbers below are from a far-from-perfect laptop setup, so some=20
instability is to be expected; here are some basic tweaks for Intel=20
hardware:
echo 1 > /sys/devices/system/cpu/intel_pstate/no_turbo
cpupower frequency-set -g performance
cpupower frequency-set --min 2.4G --max 2.4G

* perf tested with:
yes 'blabla. A' | dnsperf -D -s localhost -l 20 -S 1

A crude measurement script is attached. To get raw numbers run:
fgrep -H 'per second' iter* | sed -e 's/:[^:]*nd:/:/'

More detailed results in a table:
| Iterations | Min - qps | Median - qps | Average - qps | Max - qps |=20
StDev - qps | stdev [% of avg] | % of 0 iterations qps avg |
|------------|-----------|--------------|---------------|-----------|----=
---------|------------------|---------------------------|
| 0          | 19 910    | 22 289       | 21 881        | 22 937    |=20
994         | 5 %              | 100 %                     |
| 10         | 18 078    | 19 333       | 19 367        | 20 278    |=20
843         | 4 %              | 89 %                      |
| 20         | 16 947    | 18 167       | 17 982        | 18 289    |=20
419         | 2 %              | 82 %                      |
| 50         | 13 483    | 14 225       | 14 021        | 14 385    |=20
395         | 3 %              | 64 %                      |
| 100        | 9 922     | 10 426       | 10 371        | 10 573    |=20
212         | 2 %              | 47 %                      |
| 150        | 7 962     | 8 315        | 8 270         | 8 320     |=20
112         | 1 %              | 38 %                      |

Now I can only hope the tables survive transit.

--=20
Petr =C5=A0pa=C4=8Dek  @  ISC
--------------TkZmaPdsdXrqOMpsC51SZDMg
Content-Type: application/x-shellscript; name="measure.sh"
Content-Disposition: attachment; filename="measure.sh"
Content-Transfer-Encoding: base64

IyEvYmluL3NoCnNldCAtbyBlcnJleGl0IC1vIG5vdW5zZXQgLW8geHRyYWNlCgpmb3IgSVRF
UiBpbiAwIDEwIDIwIDUwIDEwMCAxNTAKZG8KCWRuc3NlYy1zaWduem9uZSAtdSAtMyAtIC1I
ICRJVEVSIC1TIC1vIC4gcm9vdC56b25lIDI+JjEgfCB0ZWUgIml0ZXIuJHtJVEVSfS5zaWdu
IgoJa2lsbCAtSFVQIGBwZ3JlcCBuYW1lZGAKCXNsZWVwIDEKCWZvciBSVU4gaW4gJChzZXEg
MSAxMCkKCWRvCgkJZWNobyAiPT09IGl0ZXIgJHtJVEVSfSBydW4gJHtSVU59ID09PSIKCQl5
ZXMgJ2JsYWJsYS4gQScgfCBkbnNwZXJmIC1EIC1zIGxvY2FsaG9zdCAtbCAyMCAtUyAxIDI+
JjEgfCB0ZWUgIml0ZXIuJHtJVEVSfS5ydW4uJHtSVU59IgoJZG9uZQpkb25lCgo=
--------------TkZmaPdsdXrqOMpsC51SZDMg--