Re: [dnsext] NSEC4
Alex Bligh <alex@alex.org.uk> Wed, 04 January 2012 19:43 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CBA911E80A5; Wed, 4 Jan 2012 11:43:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1325706226; bh=+QN2noqm43bKt/foMZpRkyADPcUYsTvcJaXyyk8J6kQ=; h=Date:From:To:Message-ID:In-Reply-To:References:MIME-Version:Cc: Subject:Reply-To:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:Content-Transfer-Encoding:Content-Type: Sender; b=rCVOIppYdjW2Af8aqis0Gmn7FYVNBzgeMeldaDgSjm4UY+/pPQlV7GfPpd5Y14yEE 8Wdf9PZ6FHNgA2X3p6Vm7OguI4bcAaG0K2zG0n0u/9Drm9w2/Wr+MWHun1q8RblZjX s4A5HXXEnScriUaumo+6mBfBH/OPWnAaenl1aV74=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 795B611E80A5 for <dnsext@ietfa.amsl.com>; Wed, 4 Jan 2012 11:43:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lyngpFXAZ9Vk for <dnsext@ietfa.amsl.com>; Wed, 4 Jan 2012 11:43:45 -0800 (PST)
Received: from mail.avalus.com (mail.avalus.com [89.16.176.221]) by ietfa.amsl.com (Postfix) with ESMTP id DC61D11E808F for <dnsext@ietf.org>; Wed, 4 Jan 2012 11:43:44 -0800 (PST)
Received: from [192.168.100.16] (lemondeh-adsl.demon.co.uk [83.105.105.209]) by mail.avalus.com (Postfix) with ESMTPSA id 3D07AC56126; Wed, 4 Jan 2012 19:43:40 +0000 (GMT)
Date: Wed, 04 Jan 2012 19:43:39 +0000
From: Alex Bligh <alex@alex.org.uk>
To: Matthijs Mekking <matthijs@NLnetLabs.nl>, Roy Arends <roy@nominet.org.uk>
Message-ID: <D3E76A95ED8345D1F635F172@nimrod.local>
In-Reply-To: <4F04329A.6040507@nlnetlabs.nl>
References: <20120104092946.GA4199@miek.nl> <40816163-6712-4FEF-9FE3-324A2A8BCA09@nominet.org.uk> <4F04329A.6040507@nlnetlabs.nl>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Disposition: inline
Cc: dnsext list <dnsext@ietf.org>
Subject: Re: [dnsext] NSEC4
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Alex Bligh <alex@alex.org.uk>
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
Matthijs, --On 4 January 2012 12:06:02 +0100 Matthijs Mekking <matthijs@NLnetLabs.nl> wrote: > First of all, you mentioned that the "no hash" (or "zero hashing") was > also discussed during the development of NSEC3. Unfortunately, it is > hard (if not impossible) to define it as a new NSEC3 hash function: Uggghh. If true, that is a shame. > For > "zero hashing" the Next (Hashed) Owner Name field cannot be base32 > encoded. Therefore, with our experiment we made the field a Domain Name. I /think/ your explanation could be clarified a little. If I understand things correctly, the issue is not that the Next (Hashed) Owner Name cannot be base32 encoded (it isn't - it's in binary - see 3.1.6, 3.1.7 and the last para of 3.2 of the RFC), but that the owner name of the NSEC3 RR needs to be equal to the base32 encoded value of the previous Next (Hashed) Owner Name, and as such cannot be guaranteed to fit in the Owner Name. What we should have done is defined that mapping (base32 encoding here) as part of the hash algorithm. What we also should have done is specified the identity mapping as part of the standard. NSEC3 fatigue as someone said. Unless I'm missing something, the Next (Hashed) Owner Name it seems to me could be base32 encoded, provided that the encoded value does not exceed 255 bytes. I think that allows representation of up to 159 characters, which might be useful to someone. But I seem to remember that hash algorithm support signaling is a minefield anyway. -- Alex Bligh _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] NSEC4 Miek Gieben
- Re: [dnsext] NSEC4 Roy Arends
- Re: [dnsext] NSEC4 Matthijs Mekking
- Re: [dnsext] NSEC4 Ben Laurie
- Re: [dnsext] NSEC4 Andrew Sullivan
- Re: [dnsext] NSEC4 Matthijs Mekking
- Re: [dnsext] NSEC4 Ben Laurie
- Re: [dnsext] NSEC4 Blacka, David
- Re: [dnsext] NSEC4 Miek Gieben
- Re: [dnsext] NSEC4 Alex Bligh
- Re: [dnsext] NSEC4 Miek Gieben