On Mon, Oct 18, 2021 at 12:43:51AM -0400, Viktor Dukhovni wrote:
> On Fri, Oct 15, 2021 at 04:30:37PM -0700, [email protected] wrote:
>
> > Filename : draft-ietf-dnsop-nsec3-guidance-01.txt
> >
> > Abstract:
> > NSEC3 is a DNSSEC mechanism providing proof of non-existence by
> > promising there are no names that exist between two domainnames
> > within a zone. Unlike its counterpart NSEC, NSEC3 avoids directly
> > disclosing the bounding domainname pairs. This document provides
> > guidance on setting NSEC3 parameters based on recent operational
> > deployment experience.
>
> We were waiting for TransIP to complete the migration of their managed
> DNS domains from 100 iterations to 0, before collecting fresh NSEC3
> iteration count deployment statistics.
>
> That has now been done, and the results are below:
>
> Zones successfully probed: 16,302,535
> Zones using NSEC3: 12,460,057 76.4% (of signed zones)
> Zones using opt-out: 1,162,869 9.3% (of NSEC3 zones)
Based on the stats it looks plausibly realistic to set the bar as low as
50 iterations, if there's a desire to urge the community to make a final
round of downward adjustments. Or, else we could declare victory, the
recent encouragement to use 150 or less shows very good "compliance".
A middle ground might be to set the bar at 100.
The number of zones in the 21 to 50 range is 74,756 and there are
531,146 zones at 20. So a maximally aggressive goal could be 20
or less, but would take more time and effort.
Bikeshed away!
There's a fairly small number of operators to persuade to reduce
iterations to 50 or less. A comparatively small number of operators
revising their settings to 50 or less would reduce an already rather low
rate of domains with 51 or more iterations to essentially insignificant
levels:
#zones #iters SOA mname
------------------------------------------------
7979 100 root-dns.netcup.net
2289 100 ns.nlhosting.net
2162 100 ns1.core-networks.de
1790 100 ns0-auth.businessconnect.nl
748 100 ns0.transip.net
689 100 ns1.nextpertise.nl
575 100 ns1.acmeweb.nl
459 100 nsa.perf1.fr
449 100 a.dns-i.net
434 100 ns10.kibernet.hu
406 100 ns1.absolight.net
256 100 ns1.isaac.nl
202 100 ns1.codeforce.nl
181 100 ns1.worldstream.nl
124 100 ns1.metaname.net
99 100 ns1.vshosting.cz
------------------------------------------------
18842 100 out of 20,183 in all
#zones #iters SOA mname
------------------------------------------------
5810 150 ns1.mijnhostingpartner.nl
234 150 ns1.inmoves.nl
102 150 ns1-eu.123ns.eu
------------------------------------------------
6146 150 out of 6351
#zones #iters SOA mname
------------------------------------------------
85 500 dfw-infma1.ext.ray.com
------------------------------------------------
85 500 out of 101
--
Viktor.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
