Re: [dnsext] NSEC4
Matthijs Mekking <matthijs@NLnetLabs.nl> Wed, 04 January 2012 11:06 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 520E321F8623; Wed, 4 Jan 2012 03:06:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1325675168; bh=WVlkgUXJBqIGcLxSIsfSsMgdh13IgCNgZLDyLFupAQs=; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=bUf4IlHe+En1Eq/pS1/PahSUsU7JdDtPJPn2SKfLHAw1G1/Hrh/ZXUC7bHpKVk0Sp 02CxALwKZys+vuYGmoEW4SwWHwxQx3KtbkjbWej0EJplWGgFgrT4WIzKlZiMkJcHa7 a+3HoU/hbIfGbbq26KZLugVACl7elVl5RHlT8O40=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCE1A21F8623 for <dnsext@ietfa.amsl.com>; Wed, 4 Jan 2012 03:06:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mxvCoUa271R1 for <dnsext@ietfa.amsl.com>; Wed, 4 Jan 2012 03:06:06 -0800 (PST)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 92AB621F860F for <dnsext@ietf.org>; Wed, 4 Jan 2012 03:06:05 -0800 (PST)
Received: from [192.168.178.23] (a83-160-139-153.adsl.xs4all.nl [83.160.139.153]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.4/8.14.4) with ESMTP id q04B62Zr051868 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 4 Jan 2012 12:06:03 +0100 (CET) (envelope-from matthijs@nlnetlabs.nl)
Message-ID: <4F04329A.6040507@nlnetlabs.nl>
Date: Wed, 04 Jan 2012 12:06:02 +0100
From: Matthijs Mekking <matthijs@NLnetLabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.24) Gecko/20111109 Thunderbird/3.1.16
MIME-Version: 1.0
To: Roy Arends <roy@nominet.org.uk>
References: <20120104092946.GA4199@miek.nl> <40816163-6712-4FEF-9FE3-324A2A8BCA09@nominet.org.uk>
In-Reply-To: <40816163-6712-4FEF-9FE3-324A2A8BCA09@nominet.org.uk>
X-Enigmail-Version: 1.1.2
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (open.nlnetlabs.nl [213.154.224.1]); Wed, 04 Jan 2012 12:06:04 +0100 (CET)
Cc: dnsext list <dnsext@ietf.org>
Subject: Re: [dnsext] NSEC4
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Roy, Thanks for your kind reaction. First of all, you mentioned that the "no hash" (or "zero hashing") was also discussed during the development of NSEC3. Unfortunately, it is hard (if not impossible) to define it as a new NSEC3 hash function: For "zero hashing" the Next (Hashed) Owner Name field cannot be base32 encoded. Therefore, with our experiment we made the field a Domain Name. Second, I cannot deny that adding unhashed named to NSEC3 looks a lot like adding Opt-In to NSEC. I also think that document writes down a very clever idea:). We have code, adaptations of ldns and NSD on the authoritative side, godns on the resolver side. An analysis on response size is difficult, because it is zone and query specific. In general, all NXDOMAIN and Wildcard NODATA responses will be reduced by one NSECx record and its corresponding signatures. Kind regards, Matthijs On 01/04/2012 11:24 AM, Roy Arends wrote: > On Jan 4, 2012, at 9:29 AM, Miek Gieben wrote: > >> Dear dnsext, >> >> We have written down a little experiment that we have performed, >> called NSEC4. The goal of the experiment was to optimize denial of >> existence records. It is not our intention to standardize this, as >> we are aware of the backwards compatibility issues this has with >> the current DNSSEC family RFCs, and we do not want to discomfort >> the ongoing DNSSEC deployment. >> >> However, we do want to document this to archive the insights we >> have gained by doing this experiment. Therefor, we have submitted >> the following draft: >> >> http://www.ietf.org/id/draft-gieben-nsec4-00.txt >> >> This experiment resolves two things: * Reduces the size of the >> denial of existence response; * Adds Opt-Out to un-hashed names. >> >> We would be grateful if you would like to read this. >> >> Our question is what is the best place to archive this? Re-reading >> RFC 2026, we are considering to put this on the experimental >> non-standards track. >> >> Thoughts? > > Nice! > > During the development of NSEC3 we (nsec3 editors) discussed both > optimizations (no hash, and wildcard bit). We called "no hash" an > identity function [1], and figured out we could always define it as > an NSEC3 hash function later. We called the wildcard bit an asterisk > flag, but figured that wildcard expansions are per record type, not > per full name, and that the proof would be even more different from > nsec than before (and the group seemed to be suffering from NSEC3 > fatigue at the time). Again, we thought we could always define an > additional flag later. However, both additions would break backwards > compatibility if you want to optimize for response size. > > Great stuff, thanks for documenting the effort. Do you have code, and > any comparative analysis on response size? As for a proper place, I'd > suggest > > The added functionality of NSEC4 (smaller responses, unhashed names, > opt-out) looks like the original opt-in specification: NSEC plus > opt-in :-) > > [1] http://en.wikipedia.org/wiki/Identity_function > > Warm regards, > > Roy > > >> >> Best regards, >> >> Miek Gieben, Matthijs Mekking >> _______________________________________________ dnsext mailing >> list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext > > _______________________________________________ dnsext mailing list > dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPBDKaAAoJEA8yVCPsQCW5d9MIAKiTz274i59GuJvQDssEV7s3 D8y+iEanQp+LpAd4o7L5uWQZjeenFzKVRffCOVEmoXnq9ATazxzNcMIEcXzZQimP 3Z1YPZLNKvErc4EnypcXoh/NLyZkfX11xLhEYm+4kxe+XKjhWc4UVMxJxfzfbMp6 OU4C35+gnWquXp0PiYULWWqyRXe125IHIkeil3zmloJ7PGBU99zaMz3ADaI4bme9 XmZP3X6y2G/c9SDroLQvgWNKDaSCv15jcVgZxDvJwKpcbbxRONogad9f7BIWJRsB h11O7LNiEMTkDGhXwncRPv1Y/pJkiUaEUVq62xXu+8YBM8MdkMjTWXCUVQS3qjI= =g3JT -----END PGP SIGNATURE----- _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] NSEC4 Miek Gieben
- Re: [dnsext] NSEC4 Roy Arends
- Re: [dnsext] NSEC4 Matthijs Mekking
- Re: [dnsext] NSEC4 Ben Laurie
- Re: [dnsext] NSEC4 Andrew Sullivan
- Re: [dnsext] NSEC4 Matthijs Mekking
- Re: [dnsext] NSEC4 Ben Laurie
- Re: [dnsext] NSEC4 Blacka, David
- Re: [dnsext] NSEC4 Miek Gieben
- Re: [dnsext] NSEC4 Alex Bligh
- Re: [dnsext] NSEC4 Miek Gieben