IETF Logo Mail Archive

Re: [dnsext] NSEC4

"Blacka, David" <davidb@verisign.com> Wed, 04 January 2012 15:15 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84B1721F874C; Wed, 4 Jan 2012 07:15:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1325690115; bh=Ea2MhXgKJDQWkdLrXpg6CgVWTsS6WKPRuiyw/znPYb8=; h=From:To:Date:Message-ID:References:In-Reply-To:MIME-Version:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Sender; b=cOwFvGXFPvUvk9iCxaOmOkszpV2GLjkWhm9WC0cIv4FryLWg9Q0hHesQLopcxVSCN y05ZMItOZXBK2++4Fha/0qeMLgacGxMKGnuOsPzD5dJgbpOmXgYXLfcGfg2fW/hfos ldKDgAQUHerO4dyOzTNR18h5rZWYPLrHiMuB7WQ0=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA73221F874C for <dnsext@ietfa.amsl.com>; Wed, 4 Jan 2012 07:15:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HjRffIxrflOR for <dnsext@ietfa.amsl.com>; Wed, 4 Jan 2012 07:15:13 -0800 (PST)
Received: from exprod6og112.obsmtp.com (exprod6og112.obsmtp.com [64.18.1.29]) by ietfa.amsl.com (Postfix) with ESMTP id 5E4C521F8746 for <dnsext@ietf.org>; Wed, 4 Jan 2012 07:15:12 -0800 (PST)
Received: from osprey.verisign.com ([216.168.239.75]) (using TLSv1) by exprod6ob112.postini.com ([64.18.5.12]) with SMTP ID DSNKTwRs7h0foxf3sotGXqIdZs3bvsETpjn4@postini.com; Wed, 04 Jan 2012 07:15:13 PST
Received: from dul1wnexcn01.vcorp.ad.vrsn.com (dul1wnexcn01.vcorp.ad.vrsn.com [10.170.12.138]) by osprey.verisign.com (8.13.6/8.13.4) with ESMTP id q04FEpEh021423; Wed, 4 Jan 2012 10:14:53 -0500
Received: from dul1wnexcn04.vcorp.ad.vrsn.com ([10.170.12.139]) by dul1wnexcn01.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 4 Jan 2012 10:14:51 -0500
Received: from BRN1WNEXCAS01.vcorp.ad.vrsn.com ([10.173.152.205]) by dul1wnexcn04.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 4 Jan 2012 10:14:50 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.01.0323.003; Wed, 4 Jan 2012 10:14:50 -0500
From: "Blacka, David" <davidb@verisign.com>
To: Miek Gieben <miek@miek.nl>
Thread-Topic: [dnsext] NSEC4
Thread-Index: AQHMysNunBTbR4TQR06J0E1fNIivH5X8pXwA
Date: Wed, 04 Jan 2012 15:14:50 +0000
Message-ID: <19C1D806-207B-4096-98F1-D14ACFD45C4D@verisign.com>
References: <20120104092946.GA4199@miek.nl>
In-Reply-To: <20120104092946.GA4199@miek.nl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
MIME-Version: 1.0
X-OriginalArrivalTime: 04 Jan 2012 15:14:50.0855 (UTC) FILETIME=[9AB88770:01CCCAF3]
Cc: dnsext list <dnsext@ietf.org>
Subject: Re: [dnsext] NSEC4
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1497874963598099775=="
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Jan 4, 2012, at 4:29 AM, Miek Gieben wrote:

> Dear dnsext,
> 
> We have written down a little experiment that we have performed, called NSEC4.
> The goal of the experiment was to optimize denial of existence records.
> It is not our intention to standardize this, as we are aware of the backwards
> compatibility issues this has with the current DNSSEC family RFCs, and we do
> not want to discomfort the ongoing DNSSEC deployment.
> 
> However, we do want to document this to archive the insights we have gained
> by doing this experiment. Therefor, we have submitted the following draft:
> 
>    http://www.ietf.org/id/draft-gieben-nsec4-00.txt
> 
> This experiment resolves two things:
> * Reduces the size of the denial of existence response;
> * Adds Opt-Out to un-hashed names.
> 
> We would be grateful if you would like to read this.
> 
> Our question is what is the best place to archive this? Re-reading RFC 2026,
> we are considering to put this on the experimental non-standards track.
> 
> Thoughts?

Interesting!  As Roy points out, we did consider these ideas while working on NSEC3, but decided that adding them would make the analysis of NSEC3 even harder for the working group, so decided to leave them out.

I note that with zero hashing, NSEC4 doesn't look exactly like NSEC, as you will have NSEC4 records at empty non-terminals.  This is the reason (that is, the ability to find a record for every possible closest encloser) that the order doesn't have to be DNSSEC canonical name order, and thus could be byte order as Ben suggests.

Since this is an experiment, why not also experiment with a different type map encoding?  I've generally thought that the current encoding isn't typically space or computationally optimal.

--
David Blacka                          <davidb@verisign.com> 
Principal Engineer      Verisign Infrastructure Engineering


_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email