[dns-operations] NSEC3PARAM iteration count update
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Dec 21 16:54:10 UTC 2017
> On Dec 21, 2017, at 4:45 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
>
> On Thu, Dec 21, 2017 at 03:17:53AM -0500,
> Viktor Dukhovni <ietf-dane at dukhovni.org> wrote
> a message of 137 lines which said:
>
>> So, in all, 273 domains are misconfigured with counter-productively high
>> iteration counts.
>
> At least one developer heard you:
>
> https://github.com/miekg/dns/issues/611
Thanks for the reference. Sadly, the proposed change to "cap at 5000"
somewhat misses the point. The largest interoperable and operationally
robust server-side cap is 150. For interoperability, the RFC5155 table
needs to be a *floor* on the iteration caps that a resolver operator
should be able select (without overriding some sort of warning about
potential loss of interoperability). Smaller resolver-side limits will
work poorly with peer-domains that choose to max-out the RFC5155 caps.
I added some comments on the github issue.
--
Viktor.
More information about the dns-operations
mailing list