Re: [dnsext] NSEC4
Roy Arends <roy@nominet.org.uk> Wed, 04 January 2012 10:24 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8CBC21F85D8; Wed, 4 Jan 2012 02:24:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1325672658; bh=bEWNRWJnM/hWTofKt3tjlXcXjAU8M6a2d1oL+SpZ944=; h=From:To:Date:Message-ID:References:In-Reply-To:Content-ID: MIME-Version:Cc:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:Content-Type: Content-Transfer-Encoding:Sender; b=yVcVIEhX1zCOpxqt/gGtvPk3BVt/if5b2OPiZjrYC0EGQbUJqhwU4mH5BYZMFj33R h1jxkCb4UMI2Wl1PMKCrWXW4s9RI4Yak67eG1zwquFtlH1Yq9zN2q5bgIDqoyxGGQJ zNetd3CIbnGKizR87Su/vsTM2/g0Csf6GGyeDJ7E=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 294F421F85D8 for <dnsext@ietfa.amsl.com>; Wed, 4 Jan 2012 02:24:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l+A+vnWeL7eT for <dnsext@ietfa.amsl.com>; Wed, 4 Jan 2012 02:24:15 -0800 (PST)
Received: from mx4.nominet.org.uk (mail.nominet.org.uk [213.248.199.24]) by ietfa.amsl.com (Postfix) with ESMTP id 2050E21F85D6 for <dnsext@ietf.org>; Wed, 4 Jan 2012 02:24:13 -0800 (PST)
DomainKey-Signature: s=main.dk.nominet.selector; d=nominet.org.uk; c=nofws; q=dns; h=X-IronPort-AV:Received:Received:From:To:CC:Subject: Thread-Topic:Thread-Index:Date:Message-ID:References: In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:Content-Type: Content-ID:Content-Transfer-Encoding:MIME-Version; b=rGM+XOylMbSfVRc3MQFkz8PtABWJ/TUgtTXyiOaTJyD3xmDgix/3gR79 V91ZVd61OU1qcAEy2AJC5EM8xVQ911iA7Dl3Xs1MFU836t1oh69TiXvSs Ykh4lPHcln5e9XB;
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nominet.org.uk; i=roy@nominet.org.uk; q=dns/txt; s=main.dkim.nominet.selector; t=1325672655; x=1357208655; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20Roy=20Arends=20<roy@nominet.org.uk>|Subject:=20R e:=20[dnsext]=20NSEC4|Date:=20Wed,=204=20Jan=202012=2010: 24:11=20+0000|Message-ID:=20<40816163-6712-4FEF-9FE3-324A 2A8BCA09@nominet.org.uk>|To:=20Miek=20Gieben=20<miek@miek .nl>|CC:=20dnsext=20list=20<dnsext@ietf.org> |MIME-Version:=201.0|Content-Transfer-Encoding:=20quoted- printable|Content-ID:=20<a76d0de8-fa04-455a-82c4-222983b4 8dde>|In-Reply-To:=20<20120104092946.GA4199@miek.nl> |References:=20<20120104092946.GA4199@miek.nl>; bh=gUPkYAjebMS2H/JFbDlp9GWYSjdU1Wm7e/FtU3VLXN4=; b=AJf/jYKdkPIWrOeWh+a+0/GglA45wW7tRhjV1bjbAiFNEKO/1kpomHZW PpeksYD2ppuoULl4lOyDZnIPmaubBy/6/Uh2AOjzgLkZ7BekmRbcyveic AI2P8vtRAzdA5+K;
X-IronPort-AV: E=Sophos;i="4.71,455,1320624000"; d="scan'208";a="30443253"
Received: from wds-exc2.okna.nominet.org.uk ([213.248.197.145]) by mx4.nominet.org.uk with ESMTP; 04 Jan 2012 10:24:12 +0000
Received: from WDS-EXC1.okna.nominet.org.uk ([fe80::1593:1394:a91f:8f5f]) by wds-exc2.okna.nominet.org.uk ([fe80::7577:eaca:5241:25d4%19]) with mapi; Wed, 4 Jan 2012 10:24:12 +0000
From: Roy Arends <roy@nominet.org.uk>
To: Miek Gieben <miek@miek.nl>
Thread-Topic: [dnsext] NSEC4
Thread-Index: AQHMysN0QMofPn5zwUGGws6y9tBntJX8AHiA
Date: Wed, 04 Jan 2012 10:24:11 +0000
Message-ID: <40816163-6712-4FEF-9FE3-324A2A8BCA09@nominet.org.uk>
References: <20120104092946.GA4199@miek.nl>
In-Reply-To: <20120104092946.GA4199@miek.nl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-ID: <a76d0de8-fa04-455a-82c4-222983b48dde>
MIME-Version: 1.0
Cc: dnsext list <dnsext@ietf.org>
Subject: Re: [dnsext] NSEC4
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
On Jan 4, 2012, at 9:29 AM, Miek Gieben wrote: > Dear dnsext, > > We have written down a little experiment that we have performed, called NSEC4. > The goal of the experiment was to optimize denial of existence records. > It is not our intention to standardize this, as we are aware of the backwards > compatibility issues this has with the current DNSSEC family RFCs, and we do > not want to discomfort the ongoing DNSSEC deployment. > > However, we do want to document this to archive the insights we have gained > by doing this experiment. Therefor, we have submitted the following draft: > > http://www.ietf.org/id/draft-gieben-nsec4-00.txt > > This experiment resolves two things: > * Reduces the size of the denial of existence response; > * Adds Opt-Out to un-hashed names. > > We would be grateful if you would like to read this. > > Our question is what is the best place to archive this? Re-reading RFC 2026, > we are considering to put this on the experimental non-standards track. > > Thoughts? Nice! During the development of NSEC3 we (nsec3 editors) discussed both optimizations (no hash, and wildcard bit). We called "no hash" an identity function [1], and figured out we could always define it as an NSEC3 hash function later. We called the wildcard bit an asterisk flag, but figured that wildcard expansions are per record type, not per full name, and that the proof would be even more different from nsec than before (and the group seemed to be suffering from NSEC3 fatigue at the time). Again, we thought we could always define an additional flag later. However, both additions would break backwards compatibility if you want to optimize for response size. Great stuff, thanks for documenting the effort. Do you have code, and any comparative analysis on response size? As for a proper place, I'd suggest The added functionality of NSEC4 (smaller responses, unhashed names, opt-out) looks like the original opt-in specification: NSEC plus opt-in :-) [1] http://en.wikipedia.org/wiki/Identity_function Warm regards, Roy > > Best regards, > > Miek Gieben, > Matthijs Mekking > _______________________________________________ > dnsext mailing list > dnsext@ietf.org > https://www.ietf.org/mailman/listinfo/dnsext _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] NSEC4 Miek Gieben
- Re: [dnsext] NSEC4 Roy Arends
- Re: [dnsext] NSEC4 Matthijs Mekking
- Re: [dnsext] NSEC4 Ben Laurie
- Re: [dnsext] NSEC4 Andrew Sullivan
- Re: [dnsext] NSEC4 Matthijs Mekking
- Re: [dnsext] NSEC4 Ben Laurie
- Re: [dnsext] NSEC4 Blacka, David
- Re: [dnsext] NSEC4 Miek Gieben
- Re: [dnsext] NSEC4 Alex Bligh
- Re: [dnsext] NSEC4 Miek Gieben