Re: [DNSOP] nsec3-parameters opinions gathered

Wes Hardaker <wjhns1@hardakers.net> Mon, 08 November 2021 13:45 UTC

Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 952433A0637 for <dnsop@ietfa.amsl.com>; Mon, 8 Nov 2021 05:45:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9QTQCyTj6Sx1 for <dnsop@ietfa.amsl.com>; Mon, 8 Nov 2021 05:45:11 -0800 (PST)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.192.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE0A43A0101 for <dnsop@ietf.org>; Mon, 8 Nov 2021 05:45:11 -0800 (PST)
Received: from localhost (unknown [10.0.0.3]) by mail.hardakers.net (Postfix) with ESMTPA id 3DF7822CB1; Mon, 8 Nov 2021 05:45:11 -0800 (PST)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Olafur Gudmundsson <ogud@ogud.com>
Cc: Benno Overeinder <benno@NLnetLabs.nl>, DNSOP Working Group <dnsop@ietf.org>, Wes Hardaker <wjhns1@hardakers.net>
References: <ybl7ddnr16f.fsf@w7.hardakers.net> <206e17b4-a920-8e3e-586d-ecc29855fae3@nic.cz> <45a10ca4-93e1-3c9c-7434-83c387d5246e@NLnetLabs.nl> <E354E8D8-5584-4607-A98D-76869F5CC68B@ogud.com> <20211108080026.GA5135@miek.nl>
Date: Mon, 08 Nov 2021 05:45:11 -0800
In-Reply-To: <20211108080026.GA5135@miek.nl> (Miek Gieben's message of "Mon, 8 Nov 2021 09:00:26 +0100")
Message-ID: <yblo86uoj6g.fsf@w7.hardakers.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ykheDwxz6cnd0XJMPtPUU1wLY38>
Subject: Re: [DNSOP] nsec3-parameters opinions gathered
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Nov 2021 13:45:17 -0000

Miek Gieben <miek@miek.nl> writes:

> [ Quoting <ogud@ogud.com> in "Re: [DNSOP] nsec3-parameters opinio..." ]
> >The document should strongly discourage any use of NSEC3 <full stop>
> 
> I would very much see a sentence/paragraph stating this in the
> document as well.

Folks, can we boil this down to a concrete suggestion.  Section 3.1
already says this:

   First, if the operational or security features of NSEC3 are not
   needed, then NSEC SHOULD be used in preference to NSEC3.  NSEC3
   requires greater computational power for both authoritative servers
   and validating clients.  Specifically, there is a non trivial
   complexity in finding matching NSEC3 records to randomly generated
   prefixes within a DNS zone.  NSEC mitigates this concern, and if
   NSEC3 must be used then selecting a low iterations count will help
   alleviate this computational burden.  Note that deploying NSEC with
   minimally covering NSEC records [RFC4470] also incures a cost, and
   zone owners should measure the computational difference in deploying
   both RFC4470 or NSEC3.

Which is fairly strong (SHOULD [use NSEC]) with reasoning behind the
statement already.  How do you think we should specifically change that
text?
-- 
Wes Hardaker
USC/ISI