On Fri, 22 Jan 2010, Alex Bligh wrote:
If I secure example.org, and .org is signed, OPT-OUT might cause a spoofed
exemple.org to not be caught by the user's validating resolver. Therefor,
I do think opt-out should be avoided when possible.
If I run .org, which is signed, but example.org is NOT signed (i.e.
I was talking about the situation where example.org is signed, the .org
is optout and exemple.org does not exist. For many, it is impossible
to register all typo-squat domains, so this is a real scenario.
is an unsigned delegation), there seems to be little reason to avoid opt out
across it.
Having verifiable deniability for typo-squated domaims is very useful.
I meant computational resource requirements resultant from crypto
operations, not algorithmic complexity.
I had no problems doing this on a 1.2M domains TLD zone, using off the
shelf hardware, integrating into the TLD's hourly update interval.
(http://www.cira.ca/dnssec/)
The only issues encountered were indeed the increased memory usage
on the nameservers, but those can still run fine on commodity hardware.
Though I recommend 64bit to avoid and 3G or 4G memory allocation per
process issues.
It might be worth mentioning (but is perhaps blindingly obvious) that
NSEC3 is substantially more complex in terms of implementation than
NSEC. Whilst one can by visual inspection spot the odd problem with
a small zone's NSEC chain, it's far harder with NSEC3. Obviously, if
a tool chain is used to NSECify and sign the zone, that's a problem
for the implementor rather than the operator.
Commercial and free tools are readilly available.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
