> On Mar 11, 2015, at 9:39 AM, Jan Včelák <jan.vce...@nic.cz> wrote: > > On 11.3.2015 17:30, Florian Weimer wrote: >> On 03/11/2015 05:19 PM, Jan Včelák wrote: >> >>>> It's not clear if the security goals make sense. What do zone operators >>>> gain if zone enumeration attacks are moved from offline to online, other >>>> than a need to provision additional server capacity? It's not that they >>>> can block resolution requests from large resolvers if a part of their >>>> client population participates in aggressive enumeration. >>> >>> It dependes whether you see zone enumeration as a problem. >> >> If I really want to enumerate a zone, I will just send my dictionary as >> queries, possibly through open resolvers. People are reckless like >> that. At least with NSEC3, polite attackers can do some of the >> processing off-line, without punishing authoritative servers or >> resolvers. NSEC5 takes away that option. Do the existing enumerators >> care? Who knows. > > I really can't tell. I don't know.
Proposal: until there is evidence that there is a community that needs the features of NSEC5 that cannot be easily replicated in NSEC3, this WG does not consider a protocol change that would require every resolver to be updated. --Paul Hoffman _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop