[dns-operations] NSEC3PARAM iteration count update

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Dec 21 16:54:10 UTC 2017

> On Dec 21, 2017, at 4:45 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> On Thu, Dec 21, 2017 at 03:17:53AM -0500,
> Viktor Dukhovni <ietf-dane at dukhovni.org> wrote 
> a message of 137 lines which said:
>> So, in all, 273 domains are misconfigured with counter-productively high
>> iteration counts.
> At least one developer heard you:
> https://github.com/miekg/dns/issues/611

Thanks for the reference.  Sadly, the proposed change to "cap at 5000"
somewhat misses the point.  The largest interoperable and operationally
robust server-side cap is 150.  For interoperability, the RFC5155 table
needs to be a *floor* on the iteration caps that a resolver operator
should be able select (without overriding some sort of warning about
potential loss of interoperability).  Smaller resolver-side limits will
work poorly with peer-domains that choose to max-out the RFC5155 caps.

I added some comments on the github issue.


More information about the dns-operations mailing list