NSEC4

Miek Gieben, miek.gieben@sidn.nl, SIDN
Matthijs Mekking, matthijs@nlnetlabs.nl, NLnet Labs

IETF 83

  1. Why NSEC4, which problem we tried to solve?
    • Smaller reply size with denial of existence answer;
    • Introduce Wildcard Flag bit;
    • Opt-Out for unhashed names;
    • One type of denial of existence.
  2. Experimental status
    • Small scale experiment, patched NSD3 , ldns, Go DNS;
    • Experiment is over; Yes it works. Idea has merit;
    • Other ideas:
      • minimize the bitmap;
      • splitting NSEC4 into two (sub)records;
      • drop the salt and iterations (.i.e. kill NSEC3PARAM).
    • Saving bytes on this level is helpful, but removing RRs (+RRSIGs) is better.
  3. Next steps
    • Process feedback on -00 for a -01;
    • Implementation in production code?
    • RR type allocation?
    • Re-use the NSEC3 flag registry?
    • Review from WG? Which WG...? Doable in the next 25 minutes?