Re: [dnsext] NSEC4
Ben Laurie <ben@links.org> Wed, 04 January 2012 11:26 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 487E621F8685; Wed, 4 Jan 2012 03:26:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1325676387; bh=EJiWT6XPE0LwB05CVT24YfVw/k+H/GN53xNnO4d8+Bs=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:From:To: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=REu9nyYU1u9TND3/8CKrCzU7GULXn2OhxFSWW2htfeG0vt5fdZ7zDi8Im1wn1ZZpx s2tjDUYS7cD6b6KC9SsrV0K6t/CZQn6YSAQLZpdfpkveObfXcmpeYpmtYrWt4iC3UP MkAFZXk6bPqSulHgEi1RkT5UC+wiIW0pJT+In/Q0=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAA4421F8685 for <dnsext@ietfa.amsl.com>; Wed, 4 Jan 2012 03:26:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MCZNZTIFxftT for <dnsext@ietfa.amsl.com>; Wed, 4 Jan 2012 03:26:24 -0800 (PST)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id EC6C721F8670 for <dnsext@ietf.org>; Wed, 4 Jan 2012 03:26:22 -0800 (PST)
Received: by vbbfo1 with SMTP id fo1so13431204vbb.31 for <dnsext@ietf.org>; Wed, 04 Jan 2012 03:26:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=KGXmxdp771C+JJa90+QebyyN+aNZ0FFhvSzBmq8krik=; b=LTL5sSnJRUhd0zmVPKs2KUb6fXNblPjd6d204/nulz8/w1bC4r+m3j2BFM2DGVedRK bYR2Y+pj1Ca5Qx8kYc3jGDoyXmbo3ARohq2P1MIAvnftzNPbdWHC28ocitz1ImjX+iV4 U/Mb9b/Ei9Ygdp0olRgBsEgNKoFGWLhKoPyzc=
MIME-Version: 1.0
Received: by 10.52.91.109 with SMTP id cd13mr26162316vdb.92.1325676382464; Wed, 04 Jan 2012 03:26:22 -0800 (PST)
Received: by 10.52.28.171 with HTTP; Wed, 4 Jan 2012 03:26:22 -0800 (PST)
In-Reply-To: <20120104092946.GA4199@miek.nl>
References: <20120104092946.GA4199@miek.nl>
Date: Wed, 04 Jan 2012 11:26:22 +0000
X-Google-Sender-Auth: vmXU_1c3Ej12cj_zzeFZMYDVCfM
Message-ID: <CAG5KPzw9REek_5P0yPnuY4G-taX__haiMnakupo7XgeRhLd5JQ@mail.gmail.com>
From: Ben Laurie <ben@links.org>
To: dnsext list <dnsext@ietf.org>
Subject: Re: [dnsext] NSEC4
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
On Wed, Jan 4, 2012 at 9:29 AM, Miek Gieben <miek@miek.nl> wrote: > Dear dnsext, > > We have written down a little experiment that we have performed, called NSEC4. > The goal of the experiment was to optimize denial of existence records. > It is not our intention to standardize this, as we are aware of the backwards > compatibility issues this has with the current DNSSEC family RFCs, and we do > not want to discomfort the ongoing DNSSEC deployment. > > However, we do want to document this to archive the insights we have gained > by doing this experiment. Therefor, we have submitted the following draft: > > http://www.ietf.org/id/draft-gieben-nsec4-00.txt > > This experiment resolves two things: > * Reduces the size of the denial of existence response; > * Adds Opt-Out to un-hashed names. > > We would be grateful if you would like to read this. > > Our question is what is the best place to archive this? Re-reading RFC 2026, > we are considering to put this on the experimental non-standards track. > > Thoughts? Cute. One minor quibble: in 3.2 you say that if the hash algorithm is 0, then Salt Length MUST be ignored. Strictly speaking, if it is ignored, then the Salt field cannot be ignored (since you don't know how long it is). :-) On that note, you could save 4 bytes by omitting those fields in this case. A more major observation: when the hash alg is 0 you specify that domain names are sorted in canonical order (6.1. step 7 and presumably elsewhere). Clearly this cannot be required to make the algorithm work, or it would fail when hashing was used. So, either this is suspicious, in that it suggests a weakness in the protocol, or you could make the protocol simpler by always sorting in byte order. Note that the canonical sort is vital to NSEC: it is what keeps the proof down to 2 records instead of 3 (hence the reason this might be suspicious). _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] NSEC4 Miek Gieben
- Re: [dnsext] NSEC4 Roy Arends
- Re: [dnsext] NSEC4 Matthijs Mekking
- Re: [dnsext] NSEC4 Ben Laurie
- Re: [dnsext] NSEC4 Andrew Sullivan
- Re: [dnsext] NSEC4 Matthijs Mekking
- Re: [dnsext] NSEC4 Ben Laurie
- Re: [dnsext] NSEC4 Blacka, David
- Re: [dnsext] NSEC4 Miek Gieben
- Re: [dnsext] NSEC4 Alex Bligh
- Re: [dnsext] NSEC4 Miek Gieben