[dns-operations] IMPORTANT: Please ensure your NSEC3 iteration count is sufficiently low
Warren Kumari
warren at kumari.net
Sat Apr 17 14:43:27 UTC 2021
On Fri, Apr 16, 2021 at 3:04 PM Viktor Dukhovni <ietf-dane at dukhovni.org>
wrote:
> On Fri, Apr 16, 2021 at 02:29:07PM -0400, Puneet Sood via dns-operations
> wrote:
>
> > Google Public DNS is also planning to cap NSEC3 iterations to a safe
> value.
> > Do you have data you can share on the prevalence of high iteration count
> > NSEC3 zones?
>
> Sure, below are the absolute, percentile, and cumulative percentile
> frequencies by iteration count for ~10.9 million domains using NSEC3.
> The cumulative numbers are from 0 iterations up, but the table below is
> in reverse order, showing the high iterations first, I hope that's not
> too confusing.
>
> The suggested cutoff is presently at 150, with just 279 zones out of
> 10.9 million using more than 150 iterations.
Thank you for doing this work - it’s helpful.
Do you happen to have the list of the 279 anywhere? I realize that it
*shouldn’t* matter, but if some of these are really “popular” domains the
calculation is different to them being domains which get almost no traffic.
Also, perhaps we can do some outreach to the affected domains if easy?
W
>
> #iters #zones %zones cumulative%
> ------ ------ ------ -----------
> 4096 1 0.0000 100.0000
> 2500 3 0.0000 100.0000
> 2000 1 0.0000 100.0000
> 1600 50 0.0005 100.0000
> 1337 2 0.0000 99.9995
> 1024 1 0.0000 99.9995
> 500 67 0.0006 99.9995
> 487 1 0.0000 99.9989
> 423 1 0.0000 99.9988
> 400 6 0.0001 99.9988
> 360 1 0.0000 99.9988
> 333 3 0.0000 99.9988
> 330 56 0.0005 99.9987
> 300 4 0.0000 99.9982
> 250 61 0.0006 99.9982
> 200 3 0.0000 99.9976
> 197 1 0.0000 99.9976
> 177 17 0.0002 99.9976
> ----------- suggested cutoff -------------
> 150 5070 0.0464 99.9974
> 149 21 0.0002 99.9510
> 128 6 0.0001 99.9508
> 127 2956 0.0271 99.9508
> 120 1 0.0000 99.9237
> 107 15 0.0001 99.9237
> 101 1 0.0000 99.9236
> 100 978251 8.9571 99.9236
> 99 5 0.0000 90.9665
> 96 1 0.0000 90.9664
> 90 20 0.0002 90.9664
> 85 26 0.0002 90.9662
> 81 8 0.0001 90.9660
> 80 1 0.0000 90.9659
> 75 33 0.0003 90.9659
> 69 1 0.0000 90.9656
> 64 16 0.0001 90.9656
> 55 1 0.0000 90.9654
> 54 1 0.0000 90.9654
> 53 1 0.0000 90.9654
> 52 18 0.0002 90.9654
> 51 1 0.0000 90.9652
> 50 11837 0.1084 90.9652
> 43 1 0.0000 90.8569
> 42 16 0.0001 90.8568
> 40 50605 0.4634 90.8567
> 35 12 0.0001 90.3933
> 34 1 0.0000 90.3932
> 33 697 0.0064 90.3932
> 32 74 0.0007 90.3868
> 31 4 0.0000 90.3862
> 30 12 0.0001 90.3861
> 25 27 0.0002 90.3860
> 24 66 0.0006 90.3858
> 23 20 0.0002 90.3852
> 22 4 0.0000 90.3850
> 21 5383 0.0493 90.3849
> 20 510107 4.6707 90.3357
> 19 5 0.0000 85.6650
> 18 8 0.0001 85.6649
> 17 13 0.0001 85.6649
> 16 14801 0.1355 85.6648
> 15 4113 0.0377 85.5292
> 14 19 0.0002 85.4916
> 13 88 0.0008 85.4914
> 12 302246 2.7674 85.4906
> 11 106 0.0010 82.7232
> 10 1204263 11.0265 82.7222
> 9 40 0.0004 71.6957
> 8 1168469 10.6988 71.6953
> 7 25308 0.2317 60.9965
> 6 55 0.0005 60.7648
> 5 1366608 12.5130 60.7643
> 4 40 0.0004 48.2513
> 3 28243 0.2586 48.2509
> 2 3816 0.0349 47.9923
> 1 5234737 47.9305 47.9574
> 0 2933 0.0269 0.0269
>
> --
> Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
--
Perhaps they really do strive for incomprehensibility in their specs.
After all, when the liturgy was in Latin, the laity knew their place.
-- Michael Padlipsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210417/9d44cbef/attachment.html>
More information about the dns-operations
mailing list