[dns-operations] IMPORTANT: Please ensure your NSEC3 iteration count is sufficiently low
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Apr 16 18:56:50 UTC 2021
On Fri, Apr 16, 2021 at 02:29:07PM -0400, Puneet Sood via dns-operations wrote:
> Google Public DNS is also planning to cap NSEC3 iterations to a safe value.
> Do you have data you can share on the prevalence of high iteration count
> NSEC3 zones?
Sure, below are the absolute, percentile, and cumulative percentile
frequencies by iteration count for ~10.9 million domains using NSEC3.
The cumulative numbers are from 0 iterations up, but the table below is
in reverse order, showing the high iterations first, I hope that's not
too confusing.
The suggested cutoff is presently at 150, with just 279 zones out of
10.9 million using more than 150 iterations.
#iters #zones %zones cumulative%
------ ------ ------ -----------
4096 1 0.0000 100.0000
2500 3 0.0000 100.0000
2000 1 0.0000 100.0000
1600 50 0.0005 100.0000
1337 2 0.0000 99.9995
1024 1 0.0000 99.9995
500 67 0.0006 99.9995
487 1 0.0000 99.9989
423 1 0.0000 99.9988
400 6 0.0001 99.9988
360 1 0.0000 99.9988
333 3 0.0000 99.9988
330 56 0.0005 99.9987
300 4 0.0000 99.9982
250 61 0.0006 99.9982
200 3 0.0000 99.9976
197 1 0.0000 99.9976
177 17 0.0002 99.9976
----------- suggested cutoff -------------
150 5070 0.0464 99.9974
149 21 0.0002 99.9510
128 6 0.0001 99.9508
127 2956 0.0271 99.9508
120 1 0.0000 99.9237
107 15 0.0001 99.9237
101 1 0.0000 99.9236
100 978251 8.9571 99.9236
99 5 0.0000 90.9665
96 1 0.0000 90.9664
90 20 0.0002 90.9664
85 26 0.0002 90.9662
81 8 0.0001 90.9660
80 1 0.0000 90.9659
75 33 0.0003 90.9659
69 1 0.0000 90.9656
64 16 0.0001 90.9656
55 1 0.0000 90.9654
54 1 0.0000 90.9654
53 1 0.0000 90.9654
52 18 0.0002 90.9654
51 1 0.0000 90.9652
50 11837 0.1084 90.9652
43 1 0.0000 90.8569
42 16 0.0001 90.8568
40 50605 0.4634 90.8567
35 12 0.0001 90.3933
34 1 0.0000 90.3932
33 697 0.0064 90.3932
32 74 0.0007 90.3868
31 4 0.0000 90.3862
30 12 0.0001 90.3861
25 27 0.0002 90.3860
24 66 0.0006 90.3858
23 20 0.0002 90.3852
22 4 0.0000 90.3850
21 5383 0.0493 90.3849
20 510107 4.6707 90.3357
19 5 0.0000 85.6650
18 8 0.0001 85.6649
17 13 0.0001 85.6649
16 14801 0.1355 85.6648
15 4113 0.0377 85.5292
14 19 0.0002 85.4916
13 88 0.0008 85.4914
12 302246 2.7674 85.4906
11 106 0.0010 82.7232
10 1204263 11.0265 82.7222
9 40 0.0004 71.6957
8 1168469 10.6988 71.6953
7 25308 0.2317 60.9965
6 55 0.0005 60.7648
5 1366608 12.5130 60.7643
4 40 0.0004 48.2513
3 28243 0.2586 48.2509
2 3816 0.0349 47.9923
1 5234737 47.9305 47.9574
0 2933 0.0269 0.0269
--
Viktor.
More information about the dns-operations
mailing list