Re: [dnsext] NSEC4
Matthijs Mekking <matthijs@NLnetLabs.nl> Wed, 04 January 2012 12:33 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F70121F8638; Wed, 4 Jan 2012 04:33:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1325680408; bh=pzyqyM45qAnfjc3ka1EAcwXZ+ezTEGNfkZ+iRLSwIiU=; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=r9FtEl/gfeDQsR04JWvFvsa0Yy0DAQYZb7i0MrNAH0nSGcDUjyNoCgu7sQ2cG+co6 nvlQ48YmvpA1bhkcPOa8tqTi4Ga7rK+0rIYm5WmFrG1LkTqacAlo8EqOSiD2vzvTuU CHTEjeqsgkdlERw7eW/gpyusxHrEXh7ACgWDZSsA=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD45E21F8638 for <dnsext@ietfa.amsl.com>; Wed, 4 Jan 2012 04:33:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.299
X-Spam-Level:
X-Spam-Status: No, score=-102.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_41=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VSoZzb7b8oZ8 for <dnsext@ietfa.amsl.com>; Wed, 4 Jan 2012 04:33:26 -0800 (PST)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id AC11021F862B for <dnsext@ietf.org>; Wed, 4 Jan 2012 04:33:25 -0800 (PST)
Received: from [192.168.178.23] (a83-160-139-153.adsl.xs4all.nl [83.160.139.153]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.4/8.14.4) with ESMTP id q04CXNCL049626 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 4 Jan 2012 13:33:23 +0100 (CET) (envelope-from matthijs@nlnetlabs.nl)
Message-ID: <4F044713.8060504@nlnetlabs.nl>
Date: Wed, 04 Jan 2012 13:33:23 +0100
From: Matthijs Mekking <matthijs@NLnetLabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.24) Gecko/20111109 Thunderbird/3.1.16
MIME-Version: 1.0
To: Ben Laurie <ben@links.org>
References: <20120104092946.GA4199@miek.nl> <CAG5KPzw9REek_5P0yPnuY4G-taX__haiMnakupo7XgeRhLd5JQ@mail.gmail.com>
In-Reply-To: <CAG5KPzw9REek_5P0yPnuY4G-taX__haiMnakupo7XgeRhLd5JQ@mail.gmail.com>
X-Enigmail-Version: 1.1.2
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (open.nlnetlabs.nl [213.154.224.1]); Wed, 04 Jan 2012 13:33:23 +0100 (CET)
Cc: dnsext list <dnsext@ietf.org>
Subject: Re: [dnsext] NSEC4
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Ben, Thanks for your response. On 01/04/2012 12:26 PM, Ben Laurie wrote: > On Wed, Jan 4, 2012 at 9:29 AM, Miek Gieben <miek@miek.nl> wrote: >> Dear dnsext, >> >> We have written down a little experiment that we have performed, called NSEC4. >> The goal of the experiment was to optimize denial of existence records. >> It is not our intention to standardize this, as we are aware of the backwards >> compatibility issues this has with the current DNSSEC family RFCs, and we do >> not want to discomfort the ongoing DNSSEC deployment. >> >> However, we do want to document this to archive the insights we have gained >> by doing this experiment. Therefor, we have submitted the following draft: >> >> http://www.ietf.org/id/draft-gieben-nsec4-00.txt >> >> This experiment resolves two things: >> * Reduces the size of the denial of existence response; >> * Adds Opt-Out to un-hashed names. >> >> We would be grateful if you would like to read this. >> >> Our question is what is the best place to archive this? Re-reading RFC 2026, >> we are considering to put this on the experimental non-standards track. >> >> Thoughts? > > Cute. One minor quibble: in 3.2 you say that if the hash algorithm is > 0, then Salt Length MUST be ignored. Strictly speaking, if it is > ignored, then the Salt field cannot be ignored (since you don't know > how long it is). :-) A quibble, but indeed. > On that note, you could save 4 bytes by omitting those fields in this case. > > A more major observation: when the hash alg is 0 you specify that > domain names are sorted in canonical order (6.1. step 7 and presumably > elsewhere). Clearly this cannot be required to make the algorithm > work, or it would fail when hashing was used. So, either this is > suspicious, in that it suggests a weakness in the protocol, or you > could make the protocol simpler by always sorting in byte order. My apologies, I fail to see what the problem is. If "no hash" is used, we can order the NSEC4s in canonical order, just like NSEC. If hashing is used, we order them in hash order, like NSEC3. In both cases you make a usable linked-list. I guess my confusion is about: ... when the hash alg is 0 you ... work, or it would fail when hashing was used. But when hash alg is 0, that implies that hashing cannot be used. Step 7 of the sign algorithm in Section 6.1 says: 7. Sort the set of NSEC4 RRs into hash order or canonical order, depending on the value of the hash algorithm; Maybe we have to clarify that canonical order is only for algorithm number is 0? > Note that the canonical sort is vital to NSEC: it is what keeps the > proof down to 2 records instead of 3 (hence the reason this might be > suspicious). Yes, because you can always the closest encloser from the NSEC RRs. With hashing that is not possible. Best regards, Matthijs -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPBEcTAAoJEA8yVCPsQCW5+T4H/jRGxj456YibwPfBQL5gsr/F Ty+cP1Xsq2XhfCsshAEm3q8lB1ezSkW53/6XkuXAWXcjy6If854bCkbMx0qepNoV FYhnS8DWgkHQZH/d3SeWkg9fko9e7JLjM74Joa8is3MpJb07J8lmuMNPFzT2eFqQ um1jJIo2JJgDcBv39dS/mIlzDO6gCE0RwkhyQDOYmjL37JaNd+QH1vPBC37/UOzU MmsY2l1IWwWpsgTgxO0elRTlavvHu0xYncn5M/vvsEeC9YvD6pEhJyTZlpp2DFN/ SfITazW1ZrlqZlVozoEBJDAbgfXss6iYdzM05smgoR+KGfJndRRJAlO/toB67mU= =sxGe -----END PGP SIGNATURE----- _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] NSEC4 Miek Gieben
- Re: [dnsext] NSEC4 Roy Arends
- Re: [dnsext] NSEC4 Matthijs Mekking
- Re: [dnsext] NSEC4 Ben Laurie
- Re: [dnsext] NSEC4 Andrew Sullivan
- Re: [dnsext] NSEC4 Matthijs Mekking
- Re: [dnsext] NSEC4 Ben Laurie
- Re: [dnsext] NSEC4 Blacka, David
- Re: [dnsext] NSEC4 Miek Gieben
- Re: [dnsext] NSEC4 Alex Bligh
- Re: [dnsext] NSEC4 Miek Gieben