Re: draft-arends-dnsnr-00
Roy Arends <roy@dnss.ec> Mon, 26 July 2004 10:34 UTC
From: Roy Arends <roy@dnss.ec>
Subject: Re: draft-arends-dnsnr-00
Date: Mon, 26 Jul 2004 12:34:22 +0200
Lines: 68
Sender: owner-namedroppers@ops.ietf.org
References: <Pine.BSO.4.56.0407121709550.12231@trinitario.schlyter.se> <20040726094709.1ddf51a9.olaf@ripe.net> <Pine.BSO.4.56.0407260955500.10269@trinitario.schlyter.se> <4104D30E.50709@algroup.co.uk>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Cc: namedroppers@ops.ietf.org
X-From: owner-namedroppers@ops.ietf.org Mon Jul 26 12:43:42 2004
Return-path: <owner-namedroppers@ops.ietf.org>
X-X-Sender: roy@trinitario.schlyter.se
To: Ben Laurie <ben@algroup.co.uk>
In-Reply-To: <4104D30E.50709@algroup.co.uk>
Precedence: bulk
X-Message-ID:
Message-ID: <20140418071904.2560.99133.ARCHIVE@ietfa.amsl.com>
On Mon, 26 Jul 2004, Ben Laurie wrote: > I do not propose that NSEC2 should _replace_ NSEC, I propose that an > operator can choose which of the two record types is supported. I understand that. But both record types exist in different versions of DNSSEC. To avoid switching back to previous versions of DNSSEC I included bw compatibility. I would not encourage retaining NSEC and NSECX in a single version of DNSSEC. > > NSEC3 does not 'flatten' empty-non-terminals, where-as NSEC2 emulates > > empty non-terminals with an extra EXIST record type. This is because NSEC3 > > hashes individual labels, where NSEC2 hashes owner-names. > > I am not wedded to the idea that the whole owner name should be hashed, > but there are at least two considerations here: > > a) Hashing individual labels will make the records _much_ bigger. > > b) EXIST is only needed if the zone is more than one name deep (i.e. > names within the zone contain dots), which strikes me as a rare situation. The tradeoff is as follows: For one label deep, both proposals have the same cost. NSEC3 hashes one label, NSEC2 uses a single hash. For the 'rare situation' of more labels deep, NSEC3 has a larger ownername due to multiple hashes, while NSEC2 has additional EXIST, RRSIG(EXIST), NSEC2, RRSIG(NSEC2). The thing to consider is that with NSEC2, empty-non-terminals disappear and are now emulated by EXIST records (which are non-empty). I won't use the hash-truncation argument, since it is presumed controversial, and can be applied to both proposals. > > NSEC3 does not include 'hash-iterations' since the gain in obscuring does > > not outweigh the additional cost in authoritative nameservers. > > Of course, you can set it to 1 in NSEC2 if you believe this. If an authoritative nameserver receives a query for a non-existent name, it has to iterate the hash function on the QNAME until it can include the overlapping NSEC2, right ? To me, that is a DoS factor. > > In general, the purpose of both records are the same: increase the cost of > > zone-enumeration. > > > > NSEC3 has NSEC2 properties. Additionally it is bw compatible with NSEC, > > allows OPT-IN and does not need extra records like NSECINFO and EXIST. > > NSECINFO does not appear in NSEC2-01. That is an improvement, but from the abstract of NSEC2-01: This document proposes an alternate scheme which hides owner names while permitting authenticated denial of existence of non-existent names. The scheme uses three new RR types: NSECINFO, NSEC2 and EXIST. Roy -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- comments on draft-arends-dnsnr-00 Scott Rose
- comments on draft-arends-dnsnr-00 Loomis, Rip
- Re: comments on draft-arends-dnsnr-00 Roy Arends
- Re: comments on draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Ben Laurie
- Re: draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Ben Laurie
- Re: draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Ben Laurie
- Re: draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Ben Laurie
- Re: draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Roy Badami
- Re: draft-arends-dnsnr-00 David Blacka
- Re: draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Paul Vixie
- Re: draft-arends-dnsnr-00 Olaf M. Kolkman
- Re: draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Ben Laurie
- Re: draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Samuel Weiler
- Re: draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Samuel Weiler
- Re: draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Edward Lewis
- Re: draft-arends-dnsnr-00 Roy Arends
- Re: draft-arends-dnsnr-00 Roy Arends