> On Apr 12, 2021, at 7:51 PM, Viktor Dukhovni wrote:
>
> I don't monitor NSEC3 vs. NSEC on a regular basis, but a few weeks back
> I took a survey of at the time ~14.4 million DNSSEC signed domains, of
> which ~10.9 million used NSEC3.
We did a study a few years ago, with a much smaller data
On Wed, Apr 14, 2021 at 07:00:40PM -0400, Dave Lawrence wrote:
> To me, Andrew's retelling of the facts but for the emphasis.
>
> There's stated reasons, then there's the motivating reasons. GDPR was
> useful in making the argument, but Verisign and the pain of .com were
> the real motivation.
To me, Andrew's retelling of the facts but for the emphasis.
There's stated reasons, then there's the motivating reasons. GDPR was
useful in making the argument, but Verisign and the pain of .com were
the real motivation.
___
dns-operations mailing list
A few recent analyses I've done at DNSViz have had warnings like
these:
com/DS (alg 8, id 30909): The server appears to support DNS
cookies but did not return a COOKIE option. (192.5.5.241,
UDP_-_EDNS0_4096_D_KN)
Now I realize that F-Root is a large, heterogeneous set. Any idea
which
NSEC has a lighter load on NS servers as they doesn't have to do the
NSEC3 hashing on the fly
J
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--- Begin Message ---
That all sounds about right to me, too.
I don’t remember ever yelling into a microphone at an IETF, but I do remember
signing all of .com (without NSEC3) in the span of an hour-long dnsext meeting,
to show that it was possible with affordable hardware in a reasonable
On Tue, 13 Apr 2021, Andrew Sullivan wrote:
Hi,
On Tue, Apr 13, 2021 at 12:40:08PM -0400, Viktor Dukhovni wrote:
NSEC3 was primarily designed for "opt-out", which actually
deliberately reduces security in order to gain a more compact zone
with fewer records to sign. […] While discouraging
On 4/13/21, 7:38 PM, "dns-operations on behalf of Andrew Sullivan"
wrote:
>Maybe some others have a different memory of this, though?
I agree with that re-telling.
The idea of an opt-out/in existed prior to NSEC3, it was even implemented in
experimental code but never released because the
Time for a new vunerability-with-a-catchy-name. Name:Wreck is a bug in
some implementations of DNS clients when dereferencing compression
pointers, in some cases leading to remote code execution when parsing
a malicious packet.
> On 14 Apr 2021, at 01:30, Paul Vixie wrote:
>
> that matches my recollection. there are other story elements, such as
> the working group meeting that devolved to queues of people shouting
> at each other from various microphones.
Paul, are you suggesting that’s only ever happened at *one*
Andrew Sullivan writes:
About this part:
> <...>
> raise problems for them due to zone walking[1], and so something else
> had to be created. The zone-walking-resistant NSEC3 was an
> opportunity to reintroduce opt-out,
>
> Maybe some others have a different memory of this, though?
>
11 matches
Mail list logo
