[dns-operations] NSEC3 parameter selection (BCP: 1 0 0 -)
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Jan 18 18:55:21 UTC 2021
On Mon, Jan 18, 2021 at 05:58:21PM +0100, Vladimír Čunát wrote:
> On 1/18/21 7:57 AM, Viktor Dukhovni wrote:
> > The non-empty salt is pointless, but basically harmless.
>
> Why should salt be pointless? Can you hint/link?
Because:
1. Every zone is effectively already salted, because as you
note below the hash covers the FQDN.
2. Changing the salt takes some care, so "nobody" does it.
3. Combining 1 and 2 we conclude that a fixed salt is no
better than an empty salt.
> > I find the shared "salt" value somewhat "amusing"
>
> Whole FQDNs are hashed, so sharing salt among different zones seems safe
> to me, though I must admit I have no idea why anyone might want to do
> it. Though if salt is pointless overall...
See above. :-) Here are the frequencies of NSEC and NSEC3 parameter
combinations across all TLDs:
50 NSEC
177 NSEC3 no opt-out:
77 NSEC3 1 0 5 salted
48 NSEC3 1 0 1 salted
28 NSEC3 1 0 12 salted
18 NSEC3 1 0 10 salted
2 NSEC3 1 0 8 salted
1 NSEC3 1 0 3 salted
1 NSEC3 1 0 20 salted
1 NSEC3 1 0 13 salted
1 NSEC3 1 0 100 salted
1143 NSEC3 with opt-out:
482 NSEC3 1 1 1 salted
191 NSEC3 1 1 100 salted
152 NSEC3 1 1 10 salted
145 NSEC3 1 1 0 -
99 NSEC3 1 1 1 -
30 NSEC3 1 1 5 salted
15 NSEC3 1 1 3 salted
9 NSEC3 1 1 0 salted
5 NSEC3 1 1 20 salted
4 NSEC3 1 1 5 -
2 NSEC3 1 1 8 salted
2 NSEC3 1 1 25 salted
2 NSEC3 1 1 150 salted
1 NSEC3 1 1 2 salted
1 NSEC3 1 1 17 salted
1 NSEC3 1 1 15 salted
1 NSEC3 1 1 12 salted
1 NSEC3 1 1 10 -
It would be good to see all the iteration counts drop to 10 or less,
ideally just 0.
It would also be good to see opt-out used substantially less frequently,
with just a few of the largest zones (perhaps some day none) using it to
reduce storage overhead and cost of whole-zone signing if delegations
are sufficiently sparsely signed.
--
Viktor.
More information about the dns-operations
mailing list