--On 22 January 2010 12:04:07 +0100 Olaf Kolkman <[email protected]> wrote:
Strawman text said:
Though some claim all data in the DNS should be considered public, it
sometimes is considered to be more then private, but less then public
data.
That does not describe the problem well, in that (1) it is not
the data that is somewhere between public and private, it is
that the mechanisms of access to that data that change, and (2) it
completely ignores opt-out. How about
Though all agree DNS data should be accessible through query
mechanisms, a side effect of NSEC is that it allows the contents of
a zone file to be enumerate in full by sequential query. Whilst for
some operators this behaviour is acceptable or even desirable, for
others it is undesirable for policy, regulatory or other reasons.
This is the first reason for development of NSEC3.
The second reason for the existence of NSEC3 is that NSEC requires
a signature over every RR in the zonefile, thereby ensuring that
any denial of existence is cryptographically signed. However, in a
large zonefile containing many delegations very few of which are to
signed zones, this may produce unacceptable additional overhead
especially where insecure delegations are subject to frequent
update (a typical example might be a TLD operator with few
registrants using secure delegations). NSEC3 allows intervals
between two such delegations to "Opt-out" in which case they may
contain one more more insecure delegations, thus reducing the size
and cryptographic complexity of the zone.
5.3.4 Opt-out
An Opt-Out NSEC3 RR does not assert the existence or non-existence of the
insecure delegations that it may cover. This allows for the addition or
removal of these delegations without recalculating or re- signing RRs in
the NSEC3 RR chain. Therefor, Opt-Out should be avoided if possible.
1. Therefor*e*
2. I don't think the last sentence follows from the foregoing, in that
this behaviour is desirable for the zone operator! (I know what
you mean).
3. Aside from that, I don't think an injunction to avoid Opt-Out in
these terms is sensible in a delegation only zone. In such a zone,
I don't really see the additional security risk from opt out across
insecure delegations, given if a spoof can be done, it can be
done at the delegated zone level. There are considerable operational
advantages in Opt Out (zone size, cryptographic complexity etc.)
for large zones only sparsely populated with secure delegations,
particularly where few queries have DO set anyway.
--
Alex Bligh
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
