On 10 Mar 2017, at 12:38, Dave Lawrence wrote:
Paul Hoffman writes:
Is there a community of zone admins who want this so much that they
won't start signing until it exists?
I think that question is a little extreme and need not go that far to
determine whether something is worthwhile to pursue.
Fully agree. That's why I followed it with:
Short of that, is there a community of zone admins who are using
NSEC/NSEC3 white lies who find this to be a significant improvement?
My interest in NSEC5 is largely around the significant performance
gains it has over NSEC3-WhiteLies, with double the throughout reported
in "Can NSEC5 be Practical for DNSSEC Deployments"
<https://eprint.iacr.org/2017/099.pdf>.
I found the paper intriguing, but possibly confusing. My reading is that
it compares an optimized server using NSEC5 against an unoptimized
server using NSEC3 White Lies. If my reading is correct, a better
comparison would be if they added a reasonably-efficient NSEC3 White
Lies feature to their server for comparison. If my reading is wrong,
then great, 2x for negative answers seems like a good speedup.
We have a large number of zones that are not yet signed, and a
non-trivial part of that is because of performance. NSEC5 has an
impact in addressing that issue.
Professionally, I'm somewhat less concerned about the enumeration
issue because the at least some of the zones where I want to use it
have highly structured names anyway. Enumerating them is trivial even
in plain old non-DNSSEC DNS. In the other, less-structured zones that
we already sign we use classic NSEC3 and are considering going to
NSEC3-WL on behalf of customers that do care about it. We have online
ksks for other features required of these zones.
On a personal level I appreciate that this proposal enhances ksk
security while addressing the enumeration problem.
Thanks, this makes me hopeful if the 2x performance number holds up.
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop