> On 22 Oct 2021, at 4:48 am, Vladimír Čunát wrote:
>
> Example micro-benchmark doing just the NSEC3 hashing shows that even quite
> long 32B salt has little effect but 255B adds a noticeable multiplicative
> factor. Therefore I'd suggest that NSEC3 records with salt > 32B may be
> ignored
On 21/10/2021 23.20, Viktor Dukhovni wrote:
2. Resolvers could still cope with such numbers pretty confidently.
This is where I'm looking for experienced feedback from resolver
maintainers and operators.
I don't think that NSEC3 hashing could consume significant resources in
*normal*
On Wed, Oct 20, 2021 at 11:24:47AM -0700, Wes Hardaker wrote:
> But, as Viktor indicated in his posts, we could move even lower (100
> being the next obvious step, but even lower is possible to still retain
> a reasonable percentage). But there is of course a risk of we'll never
> get to a
On 21/10/2021 13.22, Peter van Dijk wrote:
Editorial nit, already hinted at above: the text currently has "Validating resolvers MAY
return SERVFAIL when processing NSEC3 records with iterations larger than 500." - I suggest
changing this to "validating resolvers MAY ignore NSEC3 records with
Matthijs Mekking wrote on 2021-10-21 06:49:
...
I agree lower is better, but let's not pick a number randomly, but
have data to back up that number.
if we need a number that has objective merit, it is zero (0).
On 21-10-2021 15:28, Miek Gieben wrote:
...
...
I would recommend
IIRC the vendors agreed on 150 for two reasons:
1. There are still a fair amount of zones using this value. Only a
handful of zones where using above 150.
2. Resolvers could still cope with such numbers pretty confidently.
I agree lower is better, but let's not pick a number randomly, but
[ Quoting in "Re: [DNSOP] wrapping up draft-ietf-..." ]
I don't know what the -right- value is, but I know what I want: 0 iterations,
empty salt, otherwise the NSEC3 gets ignored, presumably leading to SERVFAIL.
This removes the 'insecure' window completely.
So, I'll support any push to
On 21-10-2021 13:22, Peter van Dijk wrote:
On Wed, 2021-10-20 at 11:24 -0700, Wes Hardaker wrote:
So, the question: what's the right FINAL value to put in the draft
before LC?
I don't know what the -right- value is, but I know what I want: 0 iterations,
empty salt, otherwise the NSEC3
On Wed, 2021-10-20 at 11:24 -0700, Wes Hardaker wrote:
> So, the question: what's the right FINAL value to put in the draft
> before LC?
I don't know what the -right- value is, but I know what I want: 0 iterations,
empty salt, otherwise the NSEC3 gets ignored, presumably leading to SERVFAIL.
Good folks,
I think that draft-ietf-dnsop-nsec3-guidance is fairly well boiled, so
I'm asking for a last call on moving toward a last call. The draft is
intentionally short and to the point but at the same time we've waited a
while to see what the industry would do with the guidance. Viktor's
10 matches
Mail list logo