[prev in list] [next in list] [prev in thread] [next in thread]
List: dns-operations
Subject: Re: [dns-operations] NSEC3PARAM iteration count update
From: Viktor Dukhovni <ietf-dane () dukhovni ! org>
Date: 2017-12-21 16:54:10
Message-ID: BD9E827C-8078-4BAC-91DB-DA2E70F57509 () dukhovni ! org
[Download RAW message or body]
> On Dec 21, 2017, at 4:45 AM, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
>
> On Thu, Dec 21, 2017 at 03:17:53AM -0500,
> Viktor Dukhovni <ietf-dane@dukhovni.org> wrote
> a message of 137 lines which said:
>
>> So, in all, 273 domains are misconfigured with counter-productively high
>> iteration counts.
>
> At least one developer heard you:
>
> https://github.com/miekg/dns/issues/611
Thanks for the reference. Sadly, the proposed change to "cap at 5000"
somewhat misses the point. The largest interoperable and operationally
robust server-side cap is 150. For interoperability, the RFC5155 table
needs to be a *floor* on the iteration caps that a resolver operator
should be able select (without overriding some sort of warning about
potential loss of interoperability). Smaller resolver-side limits will
work poorly with peer-domains that choose to max-out the RFC5155 caps.
I added some comments on the github issue.
--
Viktor.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-operations mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic