| rfc9276xml2.original.xml | rfc9276.xml | |||
|---|---|---|---|---|
| <?xml version="1.0" encoding="UTF-8"?> | <?xml version="1.0" encoding="UTF-8"?> | |||
| <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> | ||||
| <!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.3.32 --> | ||||
| <!DOCTYPE rfc SYSTEM "rfc2629.dtd" [ | <!DOCTYPE rfc [ | |||
| <!ENTITY nbsp " "> | ||||
| <!ENTITY zwsp "𔁱"> | ||||
| <!ENTITY nbhy "‑"> | ||||
| <!ENTITY wj "⁠"> | ||||
| ]> | ]> | |||
| <?rfc toc="yes"?> | <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft | |||
| <?rfc sortrefs="yes"?> | -ietf-dnsop-nsec3-guidance-10" number="9276" submissionType="IETF" category="bcp | |||
| <?rfc symrefs="yes"?> | " consensus="true" updates="5155" obsoletes="" tocInclude="true" sortRefs="true" | |||
| <?rfc docmapping="yes"?> | symRefs="true" xml:lang="en" version="3"> | |||
| <rfc ipr="trust200902" docName="draft-ietf-dnsop-nsec3-guidance-10" category="bc | ||||
| p" consensus="true" updates="5155"> | ||||
| <front> | <front> | |||
| <title abbrev="title">Guidance for NSEC3 parameter settings</title> | <title abbrev="NSEC3 Parameter Settings">Guidance for NSEC3 Parameter Setting | |||
| s</title> | ||||
| <seriesInfo name="RFC" value="9276"/> | ||||
| <author initials="W." surname="Hardaker" fullname="Wes Hardaker"> | <seriesInfo name="BCP" value="236"/> | |||
| <organization>USC/ISI</organization> | <author initials="W." surname="Hardaker" fullname="Wes Hardaker"> | |||
| <address> | <organization>USC/ISI</organization> | |||
| <email>ietf@hardakers.net</email> | <address> | |||
| </address> | <email>ietf@hardakers.net</email> | |||
| </author> | </address> | |||
| <author initials="V." surname="Dukhovni" fullname="Viktor Dukhovni"> | </author> | |||
| <organization>Bloomberg, L.P.</organization> | <author initials="V." surname="Dukhovni" fullname="Viktor Dukhovni"> | |||
| <address> | <organization>Bloomberg, L.P.</organization> | |||
| <email>ietf-dane@dukhovni.org</email> | <address> | |||
| </address> | <email>ietf-dane@dukhovni.org</email> | |||
| </author> | </address> | |||
| </author> | ||||
| <date year="2022" month="August"/> | ||||
| <date year="2022" month="May" day="25"/> | <area>ops</area> | |||
| <workgroup>dnsop</workgroup> | ||||
| <abstract> | <keyword>DNSSEC</keyword> | |||
| <keyword>DNS</keyword> | ||||
| <keyword>NSEC3</keyword> | ||||
| <keyword>NSEC</keyword> | ||||
| <keyword>Denial of Existence</keyword> | ||||
| <t>NSEC3 is a DNSSEC mechanism providing proof of non-existence by | <abstract> | |||
| <t>NSEC3 is a DNSSEC mechanism providing proof of nonexistence by | ||||
| asserting that there are no names that exist between two domain names | asserting that there are no names that exist between two domain names | |||
| within a zone. Unlike its counterpart NSEC, NSEC3 avoids directly | within a zone. Unlike its counterpart NSEC, NSEC3 avoids directly | |||
| disclosing the bounding domain name pairs. This document provides | disclosing the bounding domain name pairs. This document provides | |||
| guidance on setting NSEC3 parameters based on recent operational | guidance on setting NSEC3 parameters based on recent operational | |||
| deployment experience. This document updates <xref target="RFC5155"/> with | deployment experience. This document updates RFC 5155 with | |||
| guidance about selecting NSEC3 iteration and salt parameters.</t> | guidance about selecting NSEC3 iteration and salt parameters.</t> | |||
| </abstract> | ||||
| </abstract> | </front> | |||
| <middle> | ||||
| </front> | <section anchor="introduction"> | |||
| <name>Introduction</name> | ||||
| <middle> | <t>As with NSEC <xref target="RFC4035"/>, NSEC3 | |||
| <xref target="RFC5155"/> provides proof of | ||||
| <section anchor="introduction" title="Introduction"> | nonexistence that consists of signed DNS records establishing the | |||
| nonexistence of a given name or associated Resource Record Type | ||||
| <t>As with NSEC <xref target="RFC4035"/>, NSEC3 <xref target="RFC5155"/> provide | (RRTYPE) in a DNSSEC-signed zone <xref target="RFC4035"/>. However, in the case | |||
| s proof of | of NSEC3, the names of valid nodes in the zone are obfuscated through | |||
| non-existence that consists of signed DNS records establishing the | ||||
| non-existence of a given name or associated Resource Record Type | ||||
| (RRTYPE) in a DNSSEC <xref target="RFC4035"/> signed zone. In the case of NSEC3 | ||||
| , | ||||
| however, the names of valid nodes in the zone are obfuscated through | ||||
| (possibly multiple iterations of) hashing (currently only | (possibly multiple iterations of) hashing (currently only | |||
| SHA-1 is in use on the Internet).</t> | SHA-1 is in use on the Internet).</t> | |||
| <t> | ||||
| NSEC3 also provides "opt-out support", allowing for blocks of | ||||
| unsigned delegations to be covered by a single NSEC3 record. Use of | ||||
| the opt-out feature allows large registries to only sign as many | ||||
| NSEC3 records as there are signed DS or other Resource Record sets | ||||
| (RRsets) in the zone; with opt-out, unsigned delegations don't | ||||
| require additional NSEC3 records. This sacrifices the tamper- | ||||
| resistance of the proof of nonexistence offered by NSEC3 in order to | ||||
| reduce memory and CPU overheads. | ||||
| </t> | ||||
| <t>NSEC3 also provides “opt-out support”, allowing for blocks of unsigned | <t>NSEC3 records have a number of tunable parameters that are specified | |||
| delegations to be covered by a single NSEC3 record. Use of the | ||||
| opt-out feature allows large registries to only sign as many NSEC3 | ||||
| records as there are signed DS or other RRsets in the zone; with | ||||
| opt-out, unsigned delegations don’t require additional NSEC3 records. | ||||
| This sacrifices the tamper-resistance proof of non-existence | ||||
| offered by NSEC3 in order to reduce memory and CPU overheads.</t> | ||||
| <t>NSEC3 records have a number of tunable parameters that are specified | ||||
| via an NSEC3PARAM record at the zone apex. These parameters are the | via an NSEC3PARAM record at the zone apex. These parameters are the | |||
| hash algorithm, processing flags, the number of hash iterations and | hash algorithm, the processing flags, the number of hash iterations, and | |||
| the salt. Each of these has security and operational considerations | the salt. Each of these has security and operational considerations | |||
| that impact both zone owners and validating resolvers. This document | that impact both zone owners and validating resolvers. This document | |||
| provides some best-practice recommendations for setting the NSEC3 | provides some best-practice recommendations for setting the NSEC3 | |||
| parameters.</t> | parameters.</t> | |||
| <section anchor="requirements-notation"> | ||||
| <name>Requirements Notation</name> | ||||
| <t> | ||||
| The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUI | ||||
| RED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL | ||||
| NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>R | ||||
| ECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", | ||||
| "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to b | ||||
| e interpreted as | ||||
| described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> | ||||
| when, and only when, they appear in all capitals, as shown here. | ||||
| </t> | ||||
| </section> | ||||
| </section> | ||||
| <section anchor="nsec3-parameter-value-discussions"> | ||||
| <name>NSEC3 Parameter Value Discussions</name> | ||||
| <section anchor="requirements-notation" title="Requirements Notation"> | <t>The following sections describe the background of the parameters for | |||
| the NSEC3 and NSEC3PARAM RRTYPEs.</t> | ||||
| <t>The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, | <section anchor="algorithms"> | |||
| “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”, “MAY”, | <name>Algorithms</name> | |||
| and “OPTIONAL” in this document are to be interpreted as described | <t>The algorithm field is not discussed by this document. Readers are | |||
| in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only wh | ||||
| en, they appear | ||||
| in all capitals, as shown here.</t> | ||||
| </section> | ||||
| </section> | ||||
| <section anchor="nsec3-parameter-value-discussions" title="NSEC3 Parameter Value | ||||
| Discussions"> | ||||
| <t>The following sections describes the background of the parameters for | ||||
| the NSEC3 and NSEC3PARAM resource record types.</t> | ||||
| <section anchor="algorithms" title="Algorithms"> | ||||
| <t>The algorithm field is not discussed by this document. Readers are | ||||
| encouraged to read <xref target="RFC8624"/> for guidance about DNSSEC algorithm | encouraged to read <xref target="RFC8624"/> for guidance about DNSSEC algorithm | |||
| usage.</t> | usage.</t> | |||
| </section> | ||||
| </section> | <section anchor="flags"> | |||
| <section anchor="flags" title="Flags"> | <name>Flags</name> | |||
| <t>The NSEC3PARAM flags field currently contains only reserved and | ||||
| <t>The NSEC3PARAM flags field currently contains only reserved and | unassigned flags. However, individual NSEC3 records contain the | |||
| unassigned flags. Individual NSEC3 records, however, contain the | "Opt-Out" flag <xref target="RFC5155"/> that specifies whether that NSEC3 record | |||
| “Opt-Out” flag <xref target="RFC5155"/>, which specifies whether that NSEC3 reco | provides proof of nonexistence. In general, NSEC3 with the Opt-Out | |||
| rd | ||||
| provides proof of non-existence. In general, NSEC3 with the Opt-Out | ||||
| flag enabled should only be used in large, highly dynamic zones with a | flag enabled should only be used in large, highly dynamic zones with a | |||
| small percentage of signed delegations. Operationally, this allows | small percentage of signed delegations. Operationally, this allows | |||
| for fewer signature creations when new delegations are inserted into a | for fewer signature creations when new delegations are inserted into a | |||
| zone. This is typically only necessary for extremely large | zone. This is typically only necessary for extremely large | |||
| registration points providing zone updates faster than real-time | registration points providing zone updates faster than real-time | |||
| signing allows or when using memory-constrained hardware. | signing allows or when using memory-constrained hardware. | |||
| Operators considering the use of NSEC3 are advised to fully test their | ||||
| zones deployment architectures and authoritative servers under both | ||||
| regular operational loads to determine the tradeoffs using NSEC3 | ||||
| instead of NSEC. Smaller zones, or large but relatively static zones, | ||||
| are encouraged to not use a the opt-opt flag and to take advantage of | ||||
| DNSSEC’s proof-of-non-existence support.</t> | ||||
| </section> | Operators considering the use of NSEC3 are advised to carefully | |||
| <section anchor="iterations" title="Iterations"> | weigh the costs and benefits of choosing NSEC3 over NSEC. Smaller | |||
| zones, or large but relatively static zones, are encouraged to not | ||||
| use the opt-opt flag and to take advantage of DNSSEC's | ||||
| authenticated denial of existence. | ||||
| </t> | ||||
| </section> | ||||
| <section anchor="iterations"> | ||||
| <name>Iterations</name> | ||||
| <t>NSEC3 records are created by first hashing the input domain and then | <t>NSEC3 records are created by first hashing the input domain and then | |||
| repeating that hashing using the same algorithm a number of times based on the | repeating that hashing using the same algorithm a number of times based on the | |||
| iteration parameter in the NSEC3PARM and NSEC3 records. | iteration parameter in the NSEC3PARAM and NSEC3 records. | |||
| The first hash with NSEC3 is typically sufficient to discourage zone | ||||
| enumeration performed by “zone walking” an unhashed NSEC chain.</t> | ||||
| <t>Note that <xref target="RFC5155"/> describes the Iterations field to be “The | The first hash with NSEC3 is typically sufficient to discourage zone | |||
| enumeration performed by "zone walking" an unhashed NSEC chain.</t> | ||||
| <t>Note that <xref target="RFC5155"/> describes the Iterations field as f | ||||
| ollows</t> | ||||
| <blockquote>The | ||||
| Iterations field defines the number of additional times the hash | Iterations field defines the number of additional times the hash | |||
| function has been performed.” This means that an NSEC3 record with an | function has been performed.</blockquote> | |||
| <t>This means that an NSEC3 record with an | ||||
| Iterations field of 0 actually requires one hash iteration.</t> | Iterations field of 0 actually requires one hash iteration.</t> | |||
| <t>Only determined parties | ||||
| <t>Only determined parties | ||||
| with significant resources are likely to try and uncover hashed | with significant resources are likely to try and uncover hashed | |||
| values, regardless of the number of additional iterations performed. | values, regardless of the number of additional iterations performed. | |||
| If an adversary really wants to expend significant CPU resources to | If an adversary really wants to expend significant CPU resources to | |||
| mount an offline dictionary attack on a zone’s NSEC3 chain, they’ll | mount an offline dictionary attack on a zone's NSEC3 chain, they'll | |||
| likely be able to find most of the “guessable” names despite any | likely be able to find most of the "guessable" names despite any | |||
| level of additional hashing iterations.</t> | level of additional hashing iterations.</t> | |||
| <t>Most names published in the DNS are rarely secret or unpredictable. | ||||
| <t>Most names published in the DNS are rarely secret or unpredictable. | ||||
| They are published to be memorable, used and consumed by humans. They | They are published to be memorable, used and consumed by humans. They | |||
| are often recorded in many other network logs such as email logs, | are often recorded in many other network logs such as email logs, | |||
| certificate transparency logs, web page links, intrusion detection | certificate transparency logs, web page links, intrusion-detection | |||
| systems, malware scanners, email archives, etc. Many times a simple | systems, malware scanners, email archives, etc. Many times a simple | |||
| dictionary of commonly used domain names prefixes (www, mail, | dictionary of commonly used domain names prefixes (www, mail, | |||
| imap, login, database, etc.) can be used to quickly reveal a large | imap, login, database, etc.) can be used to quickly reveal a large | |||
| number of labels within a zone. Because of this, there are increasing | number of labels within a zone. Because of this, there are increasing | |||
| performance costs yet diminishing returns associated with applying | performance costs yet diminishing returns associated with applying | |||
| additional hash iterations beyond the first.</t> | additional hash iterations beyond the first.</t> | |||
| <t>Although <xref target="RFC5155" sectionFormat="of" section="10.3"/> sp | ||||
| <t>Although Section 10.3 of <xref target="RFC5155"/> specifies upper bounds for | ecifies the upper bounds for the | |||
| the | ||||
| number of hash iterations to use, there is no published guidance for | number of hash iterations to use, there is no published guidance for | |||
| zone owners about good values to select. Recent academic studies | zone owners about good values to select. Recent academic studies | |||
| have shown that NSEC3 hashing provides only moderate | have shown that NSEC3 hashing provides only moderate | |||
| protection <xref target="GPUNSEC3"/><xref target="ZONEENUM"/>.</t> | protection <xref target="GPUNSEC3"/> <xref target="ZONEENUM"/>.</t> | |||
| </section> | ||||
| </section> | <section anchor="salt"> | |||
| <section anchor="salt" title="Salt"> | <name>Salt</name> | |||
| <t>NSEC3 records provide an additional salt value, which can be | ||||
| <t>NSEC3 records provide an additional salt value, which can be | combined with a Fully Qualified Domain Name (FQDN) to influence the resulting ha | |||
| combined with an FQDN to influence the resulting hash, but properties | sh, but properties | |||
| of this extra salt are complicated.</t> | of this extra salt are complicated.</t> | |||
| <t>In cryptography, salts generally add a layer of protection against | ||||
| <t>In cryptography, salts generally add a layer of protection against | ||||
| offline, stored dictionary attacks by combining the value to be hashed | offline, stored dictionary attacks by combining the value to be hashed | |||
| with a unique “salt” value. This prevents adversaries from building up | with a unique "salt" value. This prevents adversaries from building up | |||
| and remembering a single dictionary of values that can translate a | and remembering a single dictionary of values that can translate a | |||
| hash output back to the value that it derived from.</t> | hash output back to the value that it was derived from.</t> | |||
| <t>In the case of DNS, the situation is different because the hashed | ||||
| <t>In the case of DNS, the situation is different because the hashed | names placed in NSEC3 records are always implicitly "salted" by | |||
| names placed in NSEC3 records are always implicitly “salted” by | hashing the FQDN from each zone. Thus, no | |||
| hashing the fully-qualified domain name from each zone. Thus, no | ||||
| single pre-computed table works to speed up dictionary attacks | single pre-computed table works to speed up dictionary attacks | |||
| against multiple target zones. An attacker is always required to | against multiple target zones. An attacker is always required to | |||
| compute a complete dictionary per zone, which is expensive in both | compute a complete dictionary per zone, which is expensive in both | |||
| storage and CPU time.</t> | storage and CPU time.</t> | |||
| <t>To understand the role of the additional NSEC3 salt field, we have to | ||||
| <t>To understand the role of the additional NSEC3 salt field, we have to | ||||
| consider how a typical zone walking attack works. Typically, the attack | consider how a typical zone walking attack works. Typically, the attack | |||
| has two phases - online and offline. In the online phase, an attacker | has two phases: online and offline. In the online phase, an attacker | |||
| “walks the zone” by enumerating (almost) all hashes listed in NSEC3 | "walks the zone" by enumerating (almost) all hashes listed in NSEC3 | |||
| records and storing them for the offline phase. Then, in the offline | records and storing them for the offline phase. Then, in the offline | |||
| cracking phase, the attacker attempts to crack the underlying hash. In | cracking phase, the attacker attempts to crack the underlying hash. In | |||
| this phase, the additional salt value raises the cost of the attack | this phase, the additional salt value raises the cost of the attack | |||
| only if the salt value changes during the online phase of the | only if the salt value changes during the online phase of the | |||
| attack. In other words, an additional, constant salt value does not | attack. In other words, an additional, constant salt value does not | |||
| change the cost of the attack.</t> | change the cost of the attack.</t> | |||
| <t>Changing a zone's salt value requires the construction of a complete | ||||
| <t>Changing a zone’s salt value requires the construction of a complete | ||||
| new NSEC3 chain. This is true both when re-signing the entire zone at | new NSEC3 chain. This is true both when re-signing the entire zone at | |||
| once, and when incrementally signing it in the background where the new | once and when incrementally signing it in the background where the new | |||
| salt is only activated once every name in the chain has been | salt is only activated once every name in the chain has been | |||
| completed. As a result, re-salting is a very complex operation, with | completed. As a result, re-salting is a very complex operation, with | |||
| significant CPU time, memory, and bandwidth consumption. This makes | significant CPU time, memory, and bandwidth consumption. This makes | |||
| very frequent re-salting impractical, and renders the additional salt | very frequent re-salting impractical and renders the additional salt | |||
| field functionally useless.</t> | field functionally useless.</t> | |||
| </section> | ||||
| </section> | </section> | |||
| </section> | <section anchor="recommendations-for-deploying-and-validating-nsec3-records"> | |||
| <section anchor="recommendations-for-deploying-and-validating-nsec3-records" tit | <name>Recommendations for Deploying and Validating NSEC3 Records</name> | |||
| le="Recommendations for Deploying and Validating NSEC3 Records"> | <t>The following subsections describe recommendations for the different | |||
| <t>The following subsections describe recommendations for the different | ||||
| operating realms within the DNS.</t> | operating realms within the DNS.</t> | |||
| <section anchor="best-practice-for-zone-publishers"> | ||||
| <section anchor="best-practice-for-zone-publishers" title="Best-practice for Zon | <name>Best Practice for Zone Publishers</name> | |||
| e Publishers"> | <t>First, if the operational or security features of NSEC3 are not | |||
| needed, then NSEC <bcp14>SHOULD</bcp14> be used in preference to NSEC3. NSEC3 | ||||
| <t>First, if the operational or security features of NSEC3 are not | ||||
| needed, then NSEC SHOULD be used in preference to NSEC3. NSEC3 | ||||
| requires greater computational power (see <xref target="computationalburdens"/>) | requires greater computational power (see <xref target="computationalburdens"/>) | |||
| for both authoritative servers and validating clients. Specifically, | for both authoritative servers and validating clients. Specifically, | |||
| there is a nontrivial complexity in finding matching NSEC3 records to | there is a nontrivial complexity in finding matching NSEC3 records to | |||
| randomly generated prefixes within a DNS zone. NSEC mitigates this | randomly generated prefixes within a DNS zone. NSEC mitigates this | |||
| concern. If NSEC3 must be used, then an iterations count of 0 MUST be | concern. If NSEC3 must be used, then an iterations count of 0 <bcp14>MUST</bcp1 4> be | |||
| used to alleviate computational burdens. Note that extra iteration | used to alleviate computational burdens. Note that extra iteration | |||
| counts other than 0 increase the impact of CPU-exhausting DoS attacks, | counts other than 0 increase the impact of CPU-exhausting DoS attacks, | |||
| and also increase the risk of interoperability problems.</t> | and also increase the risk of interoperability problems.</t> | |||
| <t>Note that deploying NSEC with minimally covering NSEC records | ||||
| <t>Note that deploying NSEC with minimally covering NSEC records | <xref target="RFC4470"/> also incurs a cost, and zone owners should measure the | |||
| <xref target="RFC4470"></xref> also incurs a cost, and zone owners should measur | computational difference in deploying either <xref target="RFC4470"/> or NSEC3.< | |||
| e the | /t> | |||
| computational difference in deploying either RFC4470 or NSEC3.</t> | <t>In short, for all zones, the recommended NSEC3 parameters are as shown | |||
| <t>In short, for all zones, the recommended NSEC3 parameters are as shown | ||||
| below:</t> | below:</t> | |||
| <figure><artwork><![CDATA[ | <artwork><![CDATA[ | |||
| ; SHA-1, no extra iterations, empty salt: | ; SHA-1, no extra iterations, empty salt: | |||
| ; | ; | |||
| bcp.example. IN NSEC3PARAM 1 0 0 - | bcp.example. IN NSEC3PARAM 1 0 0 - | |||
| ]]></artwork></figure> | ]]></artwork> | |||
| <t>For small zones, the use of opt-out-based NSEC3 records is <bcp14>NOT | ||||
| <t>For small zones, the use of opt-out based NSEC3 records is NOT | RECOMMENDED</bcp14>.</t> | |||
| RECOMMENDED.</t> | <t>For very large and sparsely signed zones, where the majority of the | |||
| records are insecure delegations, opt-out <bcp14>MAY</bcp14> be used.</t> | ||||
| <t>For very large and sparsely signed zones, where the majority of the | <t>Operators <bcp14>SHOULD NOT</bcp14> use a salt by indicating a zero-le | |||
| records are insecure delegations, opt-out MAY be used.</t> | ngth salt value | |||
| instead (represented as a "-" in the presentation format).</t> | ||||
| <t>Operators SHOULD NOT use a salt by indicating a zero-length salt value | <t>If salts are used, note that since the NSEC3PARAM RR is not used by | |||
| instead (represented as a “-“ in the presentation format).</t> | validating resolvers (see <xref target="RFC5155" sectionFormat="of" section="4"/ | |||
| >), the iterations and | ||||
| <t>If salts are used, note that since the NSEC3PARAM RR is not used by | ||||
| validating resolvers (see <xref target="RFC5155"></xref> section 4), the iterati | ||||
| ons and | ||||
| salt parameters can be changed without the need to wait for RRsets to | salt parameters can be changed without the need to wait for RRsets to | |||
| expire from caches. A complete new NSEC3 chain needs to be | expire from caches. A complete new NSEC3 chain needs to be | |||
| constructed and the full zone needs to be re-signed.</t> | constructed and the full zone needs to be re-signed.</t> | |||
| </section> | ||||
| </section> | <section anchor="recommendation-for-validating-resolvers"> | |||
| <section anchor="recommendation-for-validating-resolvers" title="Recommendation | <name>Recommendation for Validating Resolvers</name> | |||
| for Validating Resolvers"> | <t>Because there has been a large growth of open (public) DNSSEC | |||
| <t>Because there has been a large growth of open (public) DNSSEC | ||||
| validating resolvers that are subject to compute resource constraints | validating resolvers that are subject to compute resource constraints | |||
| when handling requests from anonymous clients, this document | when handling requests from anonymous clients, this document | |||
| recommends that validating resolvers change their behavior with | recommends that validating resolvers reduce their iteration count | |||
| respect to large iteration values. Specifically, validating | limits over time. | |||
| Specifically, validating | ||||
| resolver operators and validating resolver software implementers are | resolver operators and validating resolver software implementers are | |||
| encouraged to continue evaluating NSEC3 iteration count deployments | encouraged to continue evaluating NSEC3 iteration count deployment | |||
| but lower their default acceptable limits over time. Similarly, because | trends and lower their acceptable iteration limits over time. | |||
| Because | ||||
| treating a high iterations count as insecure leaves zones subject to | treating a high iterations count as insecure leaves zones subject to | |||
| attack, validating resolver operators and validating resolver software | attack, validating resolver operators and validating resolver software | |||
| implementers are further encouraged to lower their default and acceptable | implementers are further encouraged to lower their default | |||
| limit for returning SERVFAIL when processing NSEC3 parameters | limit for returning SERVFAIL when processing NSEC3 parameters | |||
| containing large iteration count values. See | containing large iteration count values. | |||
| See | ||||
| <xref target="deploymentmeasurements"/> for measurements taken near the time of | <xref target="deploymentmeasurements"/> for measurements taken near the time of | |||
| publication of this document and potential starting points.</t> | publication of this document and potential starting points.</t> | |||
| <t>Validating resolvers <bcp14>MAY</bcp14> return an insecure response to | ||||
| <t>Validating resolvers MAY return an insecure response to their clients | their clients | |||
| when processing NSEC3 records with iterations larger | when processing NSEC3 records with iterations larger | |||
| than 0. | than 0. | |||
| Note also that a validating resolver returning an insecure response | Note also that a validating resolver returning an insecure response | |||
| MUST still validate the signature over the NSEC3 record to ensure | <bcp14>MUST</bcp14> still validate the signature over the NSEC3 record to ensure | |||
| the iteration count was not altered since record publication (see | the iteration count was not altered since record publication (see | |||
| <xref target="RFC5155"/> section 10.3).</t> | <xref target="RFC5155" sectionFormat="of" section="10.3"/>).</t> | |||
| <t>Validating resolvers <bcp14>MAY</bcp14> also return a SERVFAIL respons | ||||
| <t>Validating resolvers MAY also return a SERVFAIL response when | e when | |||
| processing NSEC3 records with iterations larger than 0. Validating | processing NSEC3 records with iterations larger than 0. Validating | |||
| resolvers MAY choose to ignore authoritative server responses with | resolvers <bcp14>MAY</bcp14> choose to ignore authoritative server responses wit h | |||
| iteration counts greater than 0, which will likely result in | iteration counts greater than 0, which will likely result in | |||
| returning a SERVFAIL to the client when no acceptable responses are | returning a SERVFAIL to the client when no acceptable responses are | |||
| received from authoritative servers.</t> | received from authoritative servers.</t> | |||
| <t>Validating resolvers returning an insecure or SERVFAIL answer to their | ||||
| <t>Validating resolvers returning an insecure or SERVFAIL answer to their | ||||
| client after receiving and validating an unsupported NSEC3 parameter | client after receiving and validating an unsupported NSEC3 parameter | |||
| from the authoritative server(s) SHOULD return an Extended DNS | from the authoritative server(s) <bcp14>SHOULD</bcp14> return an Extended DNS | |||
| Error (EDE) <xref target="RFC8914"/> EDNS0 option of value (RFC EDITOR: TBD). | Error (EDE) <xref target="RFC8914"/> EDNS0 option of value 27. | |||
| Validating resolvers that choose to ignore a response with an | Validating resolvers that choose to ignore a response with an | |||
| unsupported iteration count (and do not validate the signature) MUST | unsupported iteration count (and that do not validate the signature) <bcp14>MUST | |||
| NOT return this EDE option.</t> | NOT</bcp14> return this EDE option.</t> | |||
| <t>Note that this specification updates <xref target="RFC5155"></xref> by signif | <t>Note that this specification updates <xref target="RFC5155"/> by signi | |||
| icantly | ficantly | |||
| decreasing the requirements originally specified in Section 10.3 of | decreasing the requirements originally specified in <xref | |||
| <xref target="RFC5155"></xref>. See the Security Considerations for arguments on | target="RFC5155" sectionFormat="of" section="10.3"/>. See the Security | |||
| how to | Considerations (<xref target="security-considerations"/>) for arguments on how t | |||
| o | ||||
| handle responses with non-zero iteration count.</t> | handle responses with non-zero iteration count.</t> | |||
| </section> | ||||
| <section anchor="recommendation-for-primary-secondary-relationships"> | ||||
| <name>Recommendation for Primary and Secondary Relationships</name> | ||||
| </section> | <t>Primary and secondary authoritative servers for a zone that are not | |||
| <section anchor="recommendation-for-primary-secondary-relationships" title="Reco | ||||
| mmendation for Primary / Secondary Relationships"> | ||||
| <t>Primary and secondary authoritative servers for a zone that are not | ||||
| being run by the same operational staff and/or using the same software | being run by the same operational staff and/or using the same software | |||
| and configuration must take into account the potential differences in | and configuration must take into account the potential differences in | |||
| NSEC3 iteration support.</t> | NSEC3 iteration support.</t> | |||
| <t>Operators of secondary services should advertise the parameter limits | ||||
| <t>Operators of secondary services should advertise the parameter limits | ||||
| that their servers support. Correspondingly, operators of primary | that their servers support. Correspondingly, operators of primary | |||
| servers need to ensure that their secondaries support the NSEC3 | servers need to ensure that their secondaries support the NSEC3 | |||
| parameters they expect to use in their zones. To ensure reliability, | parameters they expect to use in their zones. To ensure reliability, | |||
| after primaries change their iteration counts, they should query their | after primaries change their iteration counts, they should query their | |||
| secondaries with known non-existent labels to verify the secondary | secondaries with known nonexistent labels to verify the secondary | |||
| servers are responding as expected.</t> | servers are responding as expected.</t> | |||
| </section> | ||||
| </section> | ||||
| <section anchor="security-considerations"> | ||||
| <name>Security Considerations</name> | ||||
| </section> | <t>This entire document discusses security considerations with various | |||
| </section> | parameter selections of NSEC3 and NSEC3PARAM fields.</t> | |||
| <section anchor="security-considerations" title="Security Considerations"> | <t>The point where a validating resolver returns insecure versus the point | |||
| <t>This entire document discusses security considerations with various | ||||
| parameters selections of NSEC3 and NSEC3PARAM fields.</t> | ||||
| <t>The point where a validating resolver returns insecure vs the point | ||||
| where it returns SERVFAIL must be considered carefully. Specifically, | where it returns SERVFAIL must be considered carefully. Specifically, | |||
| when a validating resolver treats a zone as insecure above a | when a validating resolver treats a zone as insecure above a | |||
| particular value (say 100) and returns SERVFAIL above a higher point | particular value (say 100) and returns SERVFAIL above a higher point | |||
| (say 500), it leaves the zone subject to attacker-in-the-middle | (say 500), it leaves the zone subject to attacker-in-the-middle | |||
| attacks as if it was unsigned between these values. Thus, validating | attacks as if it were unsigned between these values. | |||
| resolver operators and software implementers SHOULD set the point | ||||
| above which a zone is treated as insecure for certain values of NSEC3 | ||||
| iterations counts to the same as the point where a validating resolver | ||||
| begins returning SERVFAIL.</t> | ||||
| </section> | ||||
| <section anchor="operational-considerations" title="Operational Considerations"> | ||||
| <t>This entire document discusses operational considerations with various | ||||
| parameters selections of NSEC3 and NSEC3PARAM fields.</t> | ||||
| </section> | ||||
| <section anchor="iana-considerations" title="IANA Considerations"> | ||||
| <t>This document requests a new allocation in the First Come First Served | ||||
| range of the “Extended DNS Error Codes” of the “Domain Name System | ||||
| (DNS) Parameters” registration table with the following | ||||
| characteristics:</t> | ||||
| <t><list style="symbols"> | ||||
| <t>INFO-CODE: (RFC EDITOR: TBD)</t> | ||||
| <t>Purpose: Unsupported NSEC3 iterations value</t> | ||||
| <t>Reference: (RFC EDITOR: this document)</t> | ||||
| </list></t> | ||||
| </section> | ||||
| </middle> | ||||
| <back> | ||||
| <references title='Normative References'> | ||||
| <reference anchor="RFC2119" target='https://www.rfc-editor.org/info/rfc2119'> | ||||
| <front> | ||||
| <title>Key words for use in RFCs to Indicate Requirement Levels</title> | ||||
| <author initials='S.' surname='Bradner' fullname='S. Bradner'><organization /></ | ||||
| author> | ||||
| <date year='1997' month='March' /> | ||||
| <abstract><t>In many standards track documents several words are used to signify | ||||
| the requirements in the specification. These words are often capitalized. This | ||||
| document defines these words as they should be interpreted in IETF documents. | ||||
| This document specifies an Internet Best Current Practices for the Internet Comm | ||||
| unity, and requests discussion and suggestions for improvements.</t></abstract> | ||||
| </front> | ||||
| <seriesInfo name='BCP' value='14'/> | ||||
| <seriesInfo name='RFC' value='2119'/> | ||||
| <seriesInfo name='DOI' value='10.17487/RFC2119'/> | ||||
| </reference> | ||||
| <reference anchor="RFC5155" target='https://www.rfc-editor.org/info/rfc5155'> | ||||
| <front> | ||||
| <title>DNS Security (DNSSEC) Hashed Authenticated Denial of Existence</title> | ||||
| <author initials='B.' surname='Laurie' fullname='B. Laurie'><organization /></au | ||||
| thor> | ||||
| <author initials='G.' surname='Sisson' fullname='G. Sisson'><organization /></au | ||||
| thor> | ||||
| <author initials='R.' surname='Arends' fullname='R. Arends'><organization /></au | ||||
| thor> | ||||
| <author initials='D.' surname='Blacka' fullname='D. Blacka'><organization /></au | ||||
| thor> | ||||
| <date year='2008' month='March' /> | ||||
| <abstract><t>The Domain Name System Security (DNSSEC) Extensions introduced the | ||||
| NSEC resource record (RR) for authenticated denial of existence. This document i | ||||
| ntroduces an alternative resource record, NSEC3, which similarly provides authen | ||||
| ticated denial of existence. However, it also provides measures against zone en | ||||
| umeration and permits gradual expansion of delegation-centric zones. [STANDARDS | ||||
| -TRACK]</t></abstract> | ||||
| </front> | ||||
| <seriesInfo name='RFC' value='5155'/> | ||||
| <seriesInfo name='DOI' value='10.17487/RFC5155'/> | ||||
| </reference> | ||||
| <reference anchor="RFC4035" target='https://www.rfc-editor.org/info/rfc4035'> | ||||
| <front> | ||||
| <title>Protocol Modifications for the DNS Security Extensions</title> | ||||
| <author initials='R.' surname='Arends' fullname='R. Arends'><organization /></au | ||||
| thor> | ||||
| <author initials='R.' surname='Austein' fullname='R. Austein'><organization /></ | ||||
| author> | ||||
| <author initials='M.' surname='Larson' fullname='M. Larson'><organization /></au | ||||
| thor> | ||||
| <author initials='D.' surname='Massey' fullname='D. Massey'><organization /></au | ||||
| thor> | ||||
| <author initials='S.' surname='Rose' fullname='S. Rose'><organization /></author | ||||
| > | ||||
| <date year='2005' month='March' /> | ||||
| <abstract><t>This document is part of a family of documents that describe the DN | ||||
| S Security Extensions (DNSSEC). The DNS Security Extensions are a collection of | ||||
| new resource records and protocol modifications that add data origin authentica | ||||
| tion and data integrity to the DNS. This document describes the DNSSEC protocol | ||||
| modifications. This document defines the concept of a signed zone, along with | ||||
| the requirements for serving and resolving by using DNSSEC. These techniques al | ||||
| low a security-aware resolver to authenticate both DNS resource records and auth | ||||
| oritative DNS error indications. </t><t> This document obsoletes RFC 2535 and in | ||||
| corporates changes from all updates to RFC 2535. [STANDARDS-TRACK]</t></abstrac | ||||
| t> | ||||
| </front> | ||||
| <seriesInfo name='RFC' value='4035'/> | ||||
| <seriesInfo name='DOI' value='10.17487/RFC4035'/> | ||||
| </reference> | ||||
| <reference anchor="RFC4470" target='https://www.rfc-editor.org/info/rfc4470'> | ||||
| <front> | ||||
| <title>Minimally Covering NSEC Records and DNSSEC On-line Signing</title> | ||||
| <author initials='S.' surname='Weiler' fullname='S. Weiler'><organization /></au | ||||
| thor> | ||||
| <author initials='J.' surname='Ihren' fullname='J. Ihren'><organization /></auth | ||||
| or> | ||||
| <date year='2006' month='April' /> | ||||
| <abstract><t>This document describes how to construct DNSSEC NSEC resource recor | ||||
| ds that cover a smaller range of names than called for by RFC 4034. By generati | ||||
| ng and signing these records on demand, authoritative name servers can effective | ||||
| ly stop the disclosure of zone contents otherwise made possible by walking the c | ||||
| hain of NSEC records in a signed zone. [STANDARDS-TRACK]</t></abstract> | ||||
| </front> | ||||
| <seriesInfo name='RFC' value='4470'/> | ||||
| <seriesInfo name='DOI' value='10.17487/RFC4470'/> | ||||
| </reference> | ||||
| <reference anchor="RFC8174" target='https://www.rfc-editor.org/info/rfc8174'> | ||||
| <front> | ||||
| <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title> | ||||
| <author initials='B.' surname='Leiba' fullname='B. Leiba'><organization /></auth | ||||
| or> | ||||
| <date year='2017' month='May' /> | ||||
| <abstract><t>RFC 2119 specifies common key words that may be used in protocol s | ||||
| pecifications. This document aims to reduce the ambiguity by clarifying that on | ||||
| ly UPPERCASE usage of the key words have the defined special meanings.</t></abs | ||||
| tract> | ||||
| </front> | ||||
| <seriesInfo name='BCP' value='14'/> | ||||
| <seriesInfo name='RFC' value='8174'/> | ||||
| <seriesInfo name='DOI' value='10.17487/RFC8174'/> | ||||
| </reference> | ||||
| <reference anchor="RFC8914" target='https://www.rfc-editor.org/info/rfc8914'> | ||||
| <front> | ||||
| <title>Extended DNS Errors</title> | ||||
| <author initials='W.' surname='Kumari' fullname='W. Kumari'><organization /></au | ||||
| thor> | ||||
| <author initials='E.' surname='Hunt' fullname='E. Hunt'><organization /></author | ||||
| > | ||||
| <author initials='R.' surname='Arends' fullname='R. Arends'><organization /></au | ||||
| thor> | ||||
| <author initials='W.' surname='Hardaker' fullname='W. Hardaker'><organization /> | ||||
| </author> | ||||
| <author initials='D.' surname='Lawrence' fullname='D. Lawrence'><organization /> | ||||
| </author> | ||||
| <date year='2020' month='October' /> | ||||
| <abstract><t>This document defines an extensible method to return additional inf | ||||
| ormation about the cause of DNS errors. Though created primarily to extend SERVF | ||||
| AIL to provide additional information about the cause of DNS and DNSSEC failures | ||||
| , the Extended DNS Errors option defined in this document allows all response ty | ||||
| pes to contain extended error information. Extended DNS Error information does n | ||||
| ot change the processing of RCODEs.</t></abstract> | ||||
| </front> | ||||
| <seriesInfo name='RFC' value='8914'/> | ||||
| <seriesInfo name='DOI' value='10.17487/RFC8914'/> | ||||
| </reference> | ||||
| </references> | Thus, validating resolver operators and software implementers | |||
| <bcp14>SHOULD</bcp14> set the point above which a zone is treated as | ||||
| insecure for certain values of NSEC3 iterations to the same as the | ||||
| point where a validating resolver begins returning SERVFAIL. | ||||
| <references title='Informative References'> | </t> | |||
| </section> | ||||
| <section anchor="operational-considerations"> | ||||
| <name>Operational Considerations</name> | ||||
| <t>This entire document discusses operational considerations with various | ||||
| parameter selections of NSEC3 and NSEC3PARAM fields.</t> | ||||
| </section> | ||||
| <section anchor="iana-considerations"> | ||||
| <name>IANA Considerations</name> | ||||
| <reference anchor="GPUNSEC3" > | <t>IANA has allocated the following code in the First Come First Served | |||
| <front> | range <xref target="RFC8126"/> of the "Extended DNS Error Codes" registry w | |||
| <title>GPU-Based NSEC3 Hash Breaking</title> | ithin the "Domain Name System | |||
| <author initials="M." surname="Wander" fullname="M. Wander"> | (DNS) Parameters" registry:</t> | |||
| <organization></organization> | <dl spacing="compact"> | |||
| </author> | <dt>INFO-CODE:</dt> <dd>27</dd> | |||
| <author initials="L." surname="Schwittmann" fullname="L. Schwittmann"> | <dt>Purpose:</dt> <dd>Unsupported NSEC3 iterations value</dd> | |||
| <organization></organization> | <dt>Reference:</dt> <dd>RFC 9276</dd> | |||
| </author> | </dl> | |||
| <author initials="C." surname="Boelmann" fullname="C. Boelmann"> | </section> | |||
| <organization></organization> | </middle> | |||
| </author> | <back> | |||
| <author initials="T." surname="Weis" fullname="T. Weis"> | <references> | |||
| <organization></organization> | <name>References</name> | |||
| </author> | <references> | |||
| <date year="2014"/> | <name>Normative References</name> | |||
| </front> | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF | |||
| <seriesInfo name="DOI" value="10.1109/NCA.2014.27"/> | C.2119.xml"/> | |||
| </reference> | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF | |||
| <reference anchor="ZONEENUM" > | C.5155.xml"/> | |||
| <front> | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF | |||
| <title>An efficient DNSSEC zone enumeration algorithm</title> | C.4035.xml"/> | |||
| <author initials="Z." surname="Wang" fullname="Zheng Wang"> | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF | |||
| <organization></organization> | C.4470.xml"/> | |||
| </author> | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF | |||
| <author initials="L." surname="Xiao" fullname="Liyuan Xiao"> | C.8174.xml"/> | |||
| <organization></organization> | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF | |||
| </author> | C.8914.xml"/> | |||
| <author initials="R." surname="Wang" fullname="Rui Wang"> | </references> | |||
| <organization></organization> | <references> | |||
| </author> | <name>Informative References</name> | |||
| <date year="n.d."/> | ||||
| </front> | ||||
| </reference> | ||||
| <reference anchor="RFC8624" target='https://www.rfc-editor.org/info/rfc8624'> | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF | |||
| <front> | C.8126.xml"/> | |||
| <title>Algorithm Implementation Requirements and Usage Guidance for DNSSEC</titl | ||||
| e> | ||||
| <author initials='P.' surname='Wouters' fullname='P. Wouters'><organization /></ | ||||
| author> | ||||
| <author initials='O.' surname='Sury' fullname='O. Sury'><organization /></author | ||||
| > | ||||
| <date year='2019' month='June' /> | ||||
| <abstract><t>The DNSSEC protocol makes use of various cryptographic algorithms i | ||||
| n order to provide authentication of DNS data and proof of nonexistence. To ens | ||||
| ure interoperability between DNS resolvers and DNS authoritative servers, it is | ||||
| necessary to specify a set of algorithm implementation requirements and usage gu | ||||
| idelines to ensure that there is at least one algorithm that all implementations | ||||
| support. This document defines the current algorithm implementation requiremen | ||||
| ts and usage guidance for DNSSEC. This document obsoletes RFC 6944.</t></abstra | ||||
| ct> | ||||
| </front> | ||||
| <seriesInfo name='RFC' value='8624'/> | ||||
| <seriesInfo name='DOI' value='10.17487/RFC8624'/> | ||||
| </reference> | ||||
| </references> | <reference anchor="GPUNSEC3"> | |||
| <front> | ||||
| <title>GPU-Based NSEC3 Hash Breaking</title> | ||||
| <author initials="M." surname="Wander" fullname="Mätthaus Wander"> | ||||
| <organization/> | ||||
| </author> | ||||
| <author initials="L." surname="Schwittmann" fullname="Lorenz Schwittm | ||||
| ann"> | ||||
| <organization/> | ||||
| </author> | ||||
| <author initials="C." surname="Boelmann" fullname="Christopher Boelma | ||||
| nn"> | ||||
| <organization/> | ||||
| </author> | ||||
| <author initials="T." surname="Weis" fullname="Torben Weis"> | ||||
| <organization/> | ||||
| </author> | ||||
| <date month="August" year="2014"/> | ||||
| </front> | ||||
| <seriesInfo name="DOI" value="10.1109/NCA.2014.27"/> | ||||
| </reference> | ||||
| <section anchor="deploymentmeasurements" title="Deployment measurements at time | <reference anchor="ZONEENUM"> | |||
| of publication"> | <front> | |||
| <title>An efficient DNSSEC zone enumeration algorithm</title> | ||||
| <author initials="Z." surname="Wang" fullname="Zheng Wang"> | ||||
| <organization/> | ||||
| </author> | ||||
| <author initials="L." surname="Xiao" fullname="Liyuan Xiao"> | ||||
| <organization/> | ||||
| </author> | ||||
| <author initials="R." surname="Wang" fullname="Rui Wang"> | ||||
| <organization/> | ||||
| </author> | ||||
| <date month="April" year="2014"/> | ||||
| </front> | ||||
| <seriesInfo name="DOI" value="10.2495/MIIT130591"/> | ||||
| </reference> | ||||
| <t>At the time of publication, setting an upper limit of 100 iterations | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF | |||
| C.8624.xml"/> | ||||
| </references> | ||||
| </references> | ||||
| <section anchor="deploymentmeasurements" numbered="true" toc="default"> | ||||
| <name>Deployment Measurements at Time of Publication</name> | ||||
| <t>At the time of publication, setting an upper limit of 100 iterations | ||||
| for treating a zone as insecure is interoperable without significant | for treating a zone as insecure is interoperable without significant | |||
| problems, but at the same time still enables CPU-exhausting DoS | problems, but at the same time still enables CPU-exhausting DoS | |||
| attacks.</t> | attacks.</t> | |||
| <t>At the time of publication, returning SERVFAIL beyond 500 iterations | ||||
| <t>At the time of publication, returning SERVFAIL beyond 500 iterations | ||||
| appears to be interoperable without significant problems.</t> | appears to be interoperable without significant problems.</t> | |||
| </section> | ||||
| </section> | <section anchor="computationalburdens" numbered="true" toc="default"> | |||
| <section anchor="computationalburdens" title="Computational burdens of processin | <name>Computational Burdens of Processing NSEC3 Iterations</name> | |||
| g NSEC3 iterations"> | <t>The queries per second (QPS) of authoritative servers will decrease due | |||
| <t>The queries per second (QPS) of authoritative servers will decrease due | ||||
| to computational overhead when processing DNS requests for zones | to computational overhead when processing DNS requests for zones | |||
| containing higher NSEC3 iteration counts. The table below | containing higher NSEC3 iteration counts. The table below | |||
| shows the drop in QPS for various iteration counts.</t> | shows the drop in QPS for various iteration counts.</t> | |||
| <figure><artwork><![CDATA[ | <table anchor="iteration-counts-table" align="center"> | |||
| | Iterations | QPS [% of 0 iterations QPS] | | <name>Drop in QPS for Various Iteration Counts</name> | |||
| |------------+-----------------------------| | <thead> | |||
| | 0 | 100 % | | <tr> | |||
| | 10 | 89 % | | <th rowspan="1" colspan="1">Iterations</th> | |||
| | 20 | 82 % | | <th rowspan="1" colspan="1">QPS [% of 0 Iterations QPS]</th> | |||
| | 50 | 64 % | | </tr> | |||
| | 100 | 47 % | | </thead> | |||
| | 150 | 38 % | | <tbody> | |||
| ]]></artwork></figure> | <tr> | |||
| <td>0</td> | ||||
| </section> | <td>100%</td> | |||
| <section title="Acknowledgments" anchor="qps"> | </tr> | |||
| <t>The authors would like to thank the dns-operations discussion | ||||
| participants, which took place on mattermost hosted by DNS-OARC.</t> | ||||
| <t>Additionally, the following people contributed text or review comments | ||||
| to the draft:</t> | ||||
| <t><list style="symbols"> | ||||
| <t>Vladimir Cunat</t> | ||||
| <t>Tony Finch</t> | ||||
| <t>Paul Hoffman</t> | ||||
| <t>Warren Kumari</t> | ||||
| <t>Alexander Mayrhofer</t> | ||||
| <t>Matthijs Mekking</t> | ||||
| <t>Florian Obser</t> | ||||
| <t>Petr Spacek</t> | ||||
| <t>Paul Vixie</t> | ||||
| <t>Tim Wicinski</t> | ||||
| </list></t> | ||||
| </section> | ||||
| <section anchor="github-version-of-this-document" title="GitHub Version of This | ||||
| Document"> | ||||
| <t>(RFCEditor: remove this section)</t> | ||||
| <t>While this document is under development, it can be viewed, tracked, | ||||
| issued, pushed with PRs, … here:</t> | ||||
| <t>https://github.com/hardaker/draft-hardaker-dnsop-nsec3-guidance</t> | ||||
| </section> | ||||
| <section anchor="implementation-notes" title="Implementation Notes"> | ||||
| <t>(RFCEditor: remove this section)</t> | ||||
| <t>The following implementations have implemented the guidance in this | ||||
| document. They have graciously provided notes about the details of | ||||
| their implementation below.</t> | ||||
| <section anchor="opendnssec" title="OpenDNSSEC"> | ||||
| <t>The OpenDNSSEC configuration checking utility will alert the user | ||||
| about nsec3 iteration values larger than 100.</t> | ||||
| </section> | ||||
| <section anchor="powerdns" title="PowerDNS"> | ||||
| <t>PowerDNS 4.5.2 changed the default value of nsec3-max-iterations to 150.</t> | ||||
| </section> | ||||
| <section anchor="knot-dns-and-knot-resolver" title="Knot DNS and Knot Resolver"> | ||||
| <t>Knot DNS 3.0.6 warns when signing with more than 20 NSEC3 iterations. | ||||
| Knot Resolver 5.3.1 treats NSEC3 iterations above 150 as insecure.</t> | ||||
| </section> | <tr> | |||
| <section anchor="google-public-dns-resolver" title="Google Public DNS Resolver"> | <td>10</td> | |||
| <td>89%</td> | ||||
| </tr> | ||||
| <t>Google Public DNS treats NSEC3 iterations above 100 as insecure since | <tr> | |||
| September 2021.</t> | <td>20</td> | |||
| <td>82%</td> | ||||
| </tr> | ||||
| </section> | <tr> | |||
| <section anchor="google-cloud-dns" title="Google Cloud DNS"> | <td>50</td> | |||
| <td>64%</td> | ||||
| </tr> | ||||
| <t>Google Cloud DNS uses 1 iteration and 64-bits of fixed random salt for | <tr> | |||
| all zones using NSEC3. These parameters cannot be adjusted by users.</t> | <td>100</td> | |||
| <td>47%</td> | ||||
| </tr> | ||||
| </section> | <tr> | |||
| </section> | <td>150</td> | |||
| <td>38%</td> | ||||
| </tr> | ||||
| </back> | </tbody> | |||
| </table> | ||||
| <!-- ##markdown-source: | </section> | |||
| H4sIAHxujmIAA61cbXPcNpL+jl+BkmtrrcrMWPJLstHW1Z0syYlqrZeVZOc2 | <section anchor="qps" numbered="false" toc="default"> | |||
| qdQVhsTMIOKQDEFKmnP83+/pboBvM06yVadynNGQBBqN7qef7gY9nU5V7erM | <name>Acknowledgments</name> | |||
| Hum97xqXmjyxelFU+vL27OSVLk1l1ra2lfa2rl2+9HvKzOeVfTjS/JhKiyTH | <t>The authors would like to thank the participants in the dns-operations d | |||
| LUc6rcyinjpbL6Zp7otymnubvJouw6DTwwOVmNoui2pzpOdJqVxZYZCq8fXL | iscussion, which took place on mattermost hosted by DNS-OARC.</t> | |||
| g4NvD16qpkxxgz/Sbw7fvFG+Nnn6PyYrcgy+sV6V7kj/VBfJRPuiqiu78Pi0 | <t>Additionally, the following people contributed text or review comments | |||
| WcsHiLE2ZQkJf1ZJgalz33ge3iplmnpVVEdK6yn+09rluPTDTH9vqtTc24q/ | to this document:</t> | |||
| lFX8YP3w66JaHukPtycvzm/P+Qu7Ni470rTQ/1qFO/0st/Vw+I8zfdrcr4qH | <ul spacing="normal"> | |||
| 3PWG/+juayh3cIVneJsVxXpuq+VEv59dz8YzTaFD+19peGyGR5TKi2ptavdg | <li><t><contact fullname="Vladimir Cunat"/></t></li> | |||
| aWE3705eHh5+Gz6SAsPH1wev2o+vvzkIH/92+M3r+PHbQ3xULl/0x/vu+gNb | <li><t><contact fullname="Tony Finch"/></t></li> | |||
| wBFLEiwEX07fGm/TYB3fG7/Sbytr7qF3vrHTNP1Mw/+DSi5m+gfsaVBsp5Tx | <li><t><contact fullname="Paul Hoffman"/></t></li> | |||
| 96PH3s/0bbJ6dHW9Nnk+enbnxdEAJzP9trDZjqe3r4wevYNo1vnRY/1vyWSP | <li><t><contact fullname="Warren Kumari"/></t></li> | |||
| 9MuDw9f8q7eVs56UGZVwenV+pA8PZoeHB9++uDw5ntG9s5ff4PKPV5dnZ5cf | <li><t><contact fullname="Alexander Mayrhofer"/></t></li> | |||
| LgZKPs61XSxc4mxe69PLW2ha/y+cQNu8WdsKO1Tk2mTwI1ev1n+s9R9Zu8vR | <li><t><contact fullname="Matthijs Mekking"/></t></li> | |||
| En5c2XzZv7Ct9P92phhr220ak/evjB672TnZTePka6Wm06k2c19XJqmVEjNy | <li><t><contact fullname="Florian Obser"/></t></li> | |||
| Xpu40rVNViZ3fq3LqnhwKQyLPhULjT95kU/tk/O1JZSab5Tx0DfBkq5XpsZf | <li><t><contact fullname="Petr Spacek"/></t></li> | |||
| trLa4L+84Km9fM/P6LmtH63Ndf1YAC7gW7nco2A9K/xiWM0zrT/kmbu32tVe | <li><t><contact fullname="Paul Vixie"/></t></li> | |||
| J0WTA/0AgzXb/CRYvnkoXOp16iqb1NlGpc4nWeFFEoiGx1j03jzAUgeg0Ppu | <li><t><contact fullname="Tim Wicinski"/></t></li> | |||
| hQUDr7Cb2GFZJqSIQKmxvQFsxyDs9Zy9D3dgXnq6KINFmEyltsyKDQ9qn0qy | </ul> | |||
| Q4y2NV8AWf3pU8CJz581KaCb30D6GiJkWFonhKtb28tT7U1W9+SaycauXZoi | </section> | |||
| JKhn+jyvqyJtEnpAqWPPU/BIMjGh0ufPUZt9WaI+2l1Xw13nDSWExxeejMK7 | ||||
| ZQ6dwH5IKUWFbbGIHfPM+VXYj9EQeMjoJYAubAwAGYZUJA6KSfWN9UVT4bYb | ||||
| Hk3fbUqrnt/c3P3r+mxfs50EW+2tJEoRLOg8ZzNIsFs0G69yolbFo32w1YSv | ||||
| iXni4oPJXAqDpTU7eY7dncy4mC8an7BY9aoqmuVKPS8L79082+h1k9WuzGy3 | ||||
| NTTevl4ZWfjzpKkqbDluLXLY6O33x9NDcjbM0ni2M5rsnAwc4Wt/Fv3RZL7o | ||||
| 9mGvKOspW0RTlgi8exPckBWPNAURhXlWJPe8kiYXLcASM7sMEtUFHA8bhoVj | ||||
| FfMN1EduArFlMtkz8jrRFW1XnHFhTd2QR9N8XmemWlo8sMRGEsrS2LQyVj62 | ||||
| UAPHNzKsiqZgfA8Voqnc0pYX9L2+uYGvDRT/d3GHIMOkXZXuryot8r/WEOXX | ||||
| xtHYaerECQeLgluw73mTVA6IznAECzZreOe0smTC7HG7AU4Vi0VUWvDBHIIj | ||||
| TtLCcaHBo2u7BqFinzy5/qBJzStraGo1EAVW8QBBNWIIWAYrusnhJLaPLuxb | ||||
| rKjSJpAYW/ngDAaX+a+Pb44vwoBa4DaYammfGGisH4xHQ9F+kkV2IWtC64Uy | ||||
| GC0XmVn64BGtaHx/z6qxOkV3EOpgnjOTrIKpYD7cDLCCrbta9NDDRAGKNA6k | ||||
| eIFuXSL4AKOBSCx+8ZiztHiWndEw7GF/iuzBbkO2al3DF0CPOdBmWlI8ww6z | ||||
| dta4Kw2ik4dENKcliHUOkPPZM0ANGxKN7vVlURvBTc061fd2ox95E/cuPtze | ||||
| wQH5//ryij/fnP3zw/nN2Sl9ho+/f99+kDtoGPx+9eF9uIU+dQ+fXF1cnF2e | ||||
| yvP4Vo++ujj+l4xB+tm7ur47v7o8fr8nLtOPLLzb7O2OY2ZlCbewO1AVHGAO | ||||
| a2KaoN+eXOvD1wKfRFoBn/yZSClFI1CTiewkObf8Ct1hd8vSmiqMAlAAwJau | ||||
| BlxNaBoPfM01OTspNbjMdZvAfDRZY/UpAnUD0yNrUKTcRRHBzNskOHeQV9x1 | ||||
| bpL7ZUUBPdhc38KxvardVpZ54CkhkgSXqRFJwoYfR2cIUrTOoeF1WUoonRe1 | ||||
| TkVawYCBtmGUN/Dz4GUKeIGpzJICBWGDSaHS/ySdfv2SdEpmOArwIYh1TLLx | ||||
| eF7Ee0deKZL11sO+GgTsYgtcrAbH8bJbWLOtHmjf4bNAGB/Ak5/lyJg6OE8z | ||||
| hsqJbqNjGJCRY+8KMHzV1Hs8QJ8oTGAYDjgQocqToTCks5P3B1dbnGIItBKw | ||||
| lxYoYLLISZiw0NYGCRQLYBkzU7K1JgsGCoNvaIsgMkcoLMUtV7iQbhDkXcIg | ||||
| ExiQUX5NhguIIv4GhfcoTC/AQKSrDsayzUR2XwKhot1c2EfKyvGkxMgEmy7m | ||||
| Sw6jc/s4CFjknNgksGWWFEZiVCArDG74A/N0CU0my8otYbRBcKHp7FNN+ITv | ||||
| eY0qRGFhhGXhCLg6xs6wGpnmwvhatoVoq8mmtVtbRZLTrSG2YwqWu+GoIFFt | ||||
| SuiNORwph1LtR0O+LYopKt+iewTXpke3eMUmfXBefGLR0MogD8ctVynZlR5p | ||||
| NlWyQtBJSJ0SDSSvcjVnxZoNG7M2lKpy+CAtNNDHIORkBcIvzZgSRKwhvET9 | ||||
| Ct6KiO7DEiUQYEtqctYgNXbjluwD47N4E9KL0J55Q3wjY1GI8pBQwbQmitY6 | ||||
| hABCD1KH4cmZzJS1OBGtDHfU5p4VZKIZKkGEvwY3meLPkDcHAigQcd6G5zHT | ||||
| MNEaBbYWyHrqlpSSNC4vsZiQGrE02HnosrSmy+XiA02bVHni6h1QDriMIzLd | ||||
| JkeEHF2+0tWwAsuLkHbRAXafsdmeyF3e8mroIr5pc3TaauC0KJ93RPVTdZgG | ||||
| VVZEGXvsGY8mo4rJHjGrJqd5QklFI/l1OXG3og6pTj83GgambgcCJkvw3cMK | ||||
| 1Na11C5cHh7s9NYjrqJCukzyqEWTczRkejWntLldx2wvYMbamjySxnygxwB2 | ||||
| +bYcmPRAgys1rMVAoCl22BHrgxKuCIZaL0ppI2sX8nVGPiLVMN820IrtUfJO | ||||
| rg4TD8wYayFirEXT6oGYAHwL3gtQyYByMbLv1EyPiHY6UOcLWjT8B5BAIEnI | ||||
| RmzFEBJibkrBKVHuiUkEvRO1LtSaqgs0DHAhI6BIHSudxjN1DeJB1ix1Cbil | ||||
| aJhNRAjRX7NMhdXOKaxnTMCw0aleF7DgsKq9ZUNIjst7Ie2EIYE44ZF8ozJE | ||||
| 3Wy05Oh83dKxHRc0pDxfNpxeS9CjKSj7Jt1X+Iu8wwIAagKvJgcPpGXR9Oxd | ||||
| G76xG0GslhGf7plIMKVtI3hvguOsGiR3QsXthvGuWACVgr2JIJz+SVqHfBaM | ||||
| +R5gDMbiG/AEmDHXU/mriUqobkT7UjM05x7GBZDbyGX9aOcwtyUZU36P3xHf | ||||
| qoZYI9ujlDX8Bri4xkUg9iNnTdhlyiQmYSYOKA9kabZOIPoFySd+RknwuqTy | ||||
| ebfj2ALKHTj4sg76RSpgMjz4CR+ePz4+0pwumyi3NuWERCaLQLQ1BIEy3T7I | ||||
| cd5yEygZnpbcs889wFQhgQTyzuQzM7eZ8JR+NeytTUwTc3MnuVrIp11OOE8A | ||||
| rYJnML9MCirNbCzxV3huqMPAIJqKmEhXahGUKMtsQ0OM7K/vd3O7KSROCDbD | ||||
| Go8zxOZmudK3sh1UYn1FQvYBsyOHCF0ctBG8JSnjstAXM07oqyFNylqZjfdM | ||||
| dtlrlKhBCsnMelkUnEk2UqKQShoTdq7ZmQRMgHihr5uU8IxTc8leetw1+mBL | ||||
| Xtkw1gVns5Y4bTBErDhW6z9//vQpFpU/f5ZAfYukeRyiw5iCYK3WuajHckdy | ||||
| LSakYJZzRuAA6/rdP08vaWkuX+BuKctRmuOpJAWZSfYJUxbMVFqB7WBATCWN | ||||
| TMZUoYAjsCMCVRWIeFJtyrpYVqZcgffSfT6ScygA8rLtbmTjemowS0pDahXA | ||||
| FI+CJJIbjUHVE6DImiK34FUHKApRQtYKAHO/4tIeybEn980k/JXkSYT2MQiQ | ||||
| nS2qYo2Fu4x5cFMqAjJizmRpzHdj+Wvo+dFcuLoJDTMmZYRORsonMCxiTZSN | ||||
| cmjrhOaaBnwN41PiRRKIIvslSAC0VFm8Q+xlfVE26bjElFNxXLw8EgAoIOBO | ||||
| ZhKB122WR7i38VRQwQY6SgZZTTbdo+J8n/Ix+57+iqjPZaVBXZxVZqmmI4hz | ||||
| t2qAMnmhgqKg5ykZScNlUI5yhO3iW6XFl025Y5NVsIeuTloT4NXCmWfUZ5E7 | ||||
| iRj6uJbASAgxVZgUW8Y2CuDvT1MGkh59hS0bMd9TroC1cYJAJkhhJNbnCP2x | ||||
| OXeFZBHc4xTfKbJY/twuJ7KvMH+iyCSlPJZP0h9KnYnoCznVfYoZaQQrbEa1 | ||||
| bOGvYgtykTaKmyIlPmDHp4Q0xEa4BCPONIsl7XCJb50wfgQdqj2a0rdFQTKB | ||||
| rmVF5WiTESnZ58INm5hHdPV1z7i6qi0xJ6gumM86InZLlHh+MhWqDQUOEq6p | ||||
| pIJAjJwiZLdSqAof7LoUisY3SuJIm8FRiCWj1SrGqv4Qu4AShMf5wJuTHuUK | ||||
| mmXIdgsdi5fhIWpxLYmGNW3q2tdrLIPLIKx6YTWPUikZoDbXS8iO6v4MaWG5 | ||||
| gqRkqi/IB0s8oeuCS4Fl9hcX6bk8Tsm4tHSkhRK9QlGxoUdO+zWFqrFSaeXs | ||||
| Hp4c834aEsBD5XOpIQO4EUik8Mc3M7ugzFwSrvAckC7sd68w98hhmhm8fVS8 | ||||
| AhcCJtVlH5ht0PCaSkwbwZ0wDIvcpjkqLioFQhBPk6A2YdGNRDfuV/I4cvNT | ||||
| l/9PpHkwZv3k9pNQ1ZAVzvHXo0uhGGG5Jec8Ia9CZu4VT7CgLbCc4nTTr0O1 | ||||
| mTZfwgtjyS4rVZJ1xWyONdkQIfFciOQe17hcfcolEbYJDP6xq4jLFktbbLt6 | ||||
| 2sy3Cqg7q+EkZRt3VNAc80MAREs/Q1IhFObtoMROg/xIJnMdCFkFYd4RLZxE | ||||
| X+vXY7gAH9oDoaHkh1Ui8pMcccSm7OkCRjrUyXvVPaLgJHXCTIGfn7XAFTxl | ||||
| yYWPSkvsiDKUBRXrnntrQdYGl+YNspfcf/68z1U9dpXdZadReyLJqPhAGdGt | ||||
| kFzBddUyVkNFzhqcwHEfhA2VdICFUIbIZTZTJ6tuZyP6IrSAfSBEw1iEeJH7 | ||||
| tAlImyBQ0heSBNbYGpa35JIfYSeFJ2RZhAbnUdvrhvvwrNGga4BZj3dzv12K | ||||
| BNziAPmM+QuVxR4obxjpNmiQhGiLJkIx23EVD+sDinIh8iAmLwIboSeEieGu | ||||
| U/u0AhliNZ8Wt5FQTJjLcXN08Gzl/D09yV0Ptry5y0jT4KYgK2s/qOekrXex | ||||
| zphlUpK0Zt/kOkV7MWyI+ikc3vm5nb0hg2BEFwjoJyGhNr2GgE1owA01Fr0v | ||||
| YQzsBLJOWqIymY6HwIRMYtQKk5GRUgAP5Umh/cHJ23NBoxZg7M0o5JfF4xH3 | ||||
| tfTfNfejieiNt4sT6BIKJASTUy1/57/nSTmzT4ZMGVHxst+bOMSOHugpgID8 | ||||
| fT0SMeSvsa88751hikYPj7m8ulO95tdMBmMclhos0xIsztsQkELHnwoGbQRa | ||||
| m18KBpsQxfuEmSrwCW1KrzQ/acW6OP5XdA6qfrVl7q5jF0q6HODm5MopJU4h | ||||
| fMP4ppnNl1Qca2N4W2F+XtmSmjN5aMoZvTfdizEwXJG8QM6B0XEA+K2kXyS7 | ||||
| +GzeGjLYecj7ettwcxNbV410rdSujqog4U8hT/85dt70633ZrlHrd3TYJBY2 | ||||
| hNpIUkrqk/AvYPFowBPIVkN/H5AGck5kg7ONBNkG5QD6uKP2IxLDQ4XjC6rl | ||||
| PqEyFVMa8bvenZHh8A4+G8dXlqgXUG+iQpR62+Vfle2KrqFKg7BSPNYrsWF8 | ||||
| /ZxrEcl+aOLtVnLXzW/mv0DDTHlDStO2JtsWS+0Vsy4oNc1kIDAPKuSwxgyC | ||||
| yWZdND4GnsmwH6laFAgT7xSpY6MOsc4ikXHU+HHcSqFiDQspS+4K+JIbjyNd | ||||
| bwYVZwiBv/hyN1/7YlFztY7rbyT67h4qdSFd3hBjxPRm50koiVZdC8krKnlk | ||||
| HOxljaldmIYKHUliS8ldM7emk2VckOZ0EOvCV1g0LSrk4aqubHRs6iZux0jj | ||||
| OzTJLDJCH/qM3W6HBGKyUw9/XlNqrCmYfsWRYqixneumiNmuXfHa2QukGkjz | ||||
| 3Z7dfHx3fP5eSH/vaMg4lqjQGKZrYxMRnXSGYq369KnbmBALeY9CN7z/FffC | ||||
| yOON0FPaFmqIiZeZmPGMjjtgaSXQEGZCZLs2chBReqHw/o+7HIAgXpbOxCdu | ||||
| IBk/HVoOlR0oMHiZ2q2UGFOYPfRMg9VCJxKI4cyEdTBlECzYuc3dTuySSDEN | ||||
| AxcC2IWnbagjxc6zWPJqeKCLWyA5aVgNED3s1KORKEHVIqq2SDAJj/bVTpFC | ||||
| DUq6vXLv/u+pmdcddd1ZWatq0qz6NzUbuCMs7OM2+Mi0yaooZCOhoILYzw42 | ||||
| 30ohE6mRero0QuaLJaZH2oXQ8JG8FBumehvYLTOUCMWMwpGAog9DnQTk4nSc | ||||
| tK0e7k5AvqTr3fYDD2tlMbl/lENr0nkPQplFzZqgmWO22TNQ7o2GlvM2s1Qs | ||||
| KGe8O4R97vcja+q87eypFpKKoKnOqgoiPj87PdsPh4++PaSDMme4eECMLPi8 | ||||
| FEKe4wZcOr+7ujnSd29PYXg7dSHl2y0L6Bld6Iv2Vzb2jeekiFRa+Ltdbp+T | ||||
| I0WEMCyPoQmLCZIPMg6+5mPo5Ini0YyOgs03/VYlnWi2sbcTSH7vhBrUvXRS | ||||
| TGhPChKVHLViVDv8jBCZx7mNqfjJ4GSe5BXVsgkT5FzTRAhjOmJH/sLHd4jv | ||||
| jnX3RdJ1XSHBAo9/QQIUuILPN3yaAqOuXAkGFm9hkt/etDsXZ2mF/LUsi6oI | ||||
| c8v20ORyXiucWehXIxAnFtQ5Tl9Qc3R4tqENuKH5uXDLJqyOE2c+sSFndxIx | ||||
| FebubQzq8jriBmrMVrrjG11qQYeP2rXS6viUasggua9Ru5DmdscohMGoeOTe | ||||
| Va1e4hTY3Uq2jOoMxGuK/pSlqFrFxyJrl4ChBwOLcM62g+88RinnA6n+LhSS | ||||
| qLTkNq6KBX99185Q2cyFLB1ZPeOQyETzDEjqGJnDScSgITDkahNQrS8qG+l9 | ||||
| Th293hGaOrZYISCl+YtgI3EDWn2YNgBzmcb4sDLJKr7kQ0pOG4eiastT4hnC | ||||
| 3inZ4alYkfYBkoPe93UaXgGQc+W7jzhyeZFCwx1bopNYw5j3Za7RY64PPtgw | ||||
| nlTypKvb29oIEutGUXCYSwIlcVdpqwLGwW73/MyqfXTdPoU284LORys+Y5Lw | ||||
| oa4A/d5sAGgH+6HUOpIsPMcknayIF8LPvMEzE1pNYOftaeleOhbbElOXT3F9 | ||||
| Gl6giG1KEnBBQxBdas+ht++x8PHnyHmla/bHOdHu/CcES+TKvf2QtQn1CCrj | ||||
| kr4c7eprj/CQTlRQ3hw6mdFi1Dhz8ZGbyHmungH8nukAWpd0yHQ7b2CX6B2W | ||||
| /He94svHxf9fHOOZPj++PN4tVCtNm2sbLkPQmcgQqUOBhsvbGGQdP97yKVuq | ||||
| 0y7bvuFen+FoYTgn9F7JXnvHqfRdL0n1t3x+RT3HzfvdOWncPDjbGRqu8TRs | ||||
| W/CnzhJV5IFjyA4Sf6TUV/r88t3V9OTq9OxomzLh8nVTlaBGR/rDFrHrWYnU | ||||
| rb5CfA7RbDTYIA3blzePqBdEuj7tjnMOEjwKKJLUDbKLT8++kCMqdVz3U8H+ | ||||
| U5P2QD9RVD5XInktbgNQ9JbCJf1eJr+FOvwyTls1Dnrmd206LqZiGVkOVIT3 | ||||
| Lth5WDjJzeRgst9Rvo5oMvv9Ne1IyMOpmzfDNckh/Fjv+kPx+1XwZ2TB26X7 | ||||
| cI5jmIj1DOLTs50tEwk6FIIp5JY2sgX9/J/XsGhqUe4kb5xFBXoLRICttYWx | ||||
| tmcUXqPZqknIW2axMFYEbtGvTIRAsLNUFM6vBZ/iariiyrhgYAo9kr9Deh46 | ||||
| AM/2IFJA/61/APQ3fuqnv0jrpKc7fP2z/k0emPZ+vpr+3k94QLc/B/iFbPsv | ||||
| evfP+IFDeuBv337x/q0HXvIDL//8A2/oga9f/+kHSPrf9Otv/vwDPMOrv/3e | ||||
| A+rTkX72a+nl3d3/2DsDAU/qXlTov5qHnQ22eg0DkTxk7zN5xXFCXDGz6VKq | ||||
| iPJKCBsvzJWZJr+RyoHT5HJmIc39tI1dPgY06nYJh3GlYb4q8bsuins5y0OC | ||||
| rOkYRMVnRFeFDwe1YdvTq+ObEwKKtoscj4p0jd7SFnSYJuHm4lwO5dgnPuxZ | ||||
| 2QeH8CXZF2UIRTBsUGyODx8zQ0cCEZYaZLL44q7IN4hoebKi8GCaTH9fLBZr | ||||
| ZMhf6R8MvWKi/9EQL8fvx5l94tfE9YXZVKsC0QHfXmApK/eL1xf2nl9D/0q/ | ||||
| y+D0wOaruedbrm0NfZdY+32c5aN7chRj7txa/wBd5f7e0U585+rvm7n+CJwI | ||||
| BQAO1Kexyq0oEp1BOUV1RMe6iCBJfi2EAOHoh5XL7KhW6OJbAykdti1K+pK5 | ||||
| YWhlkNq4I0onUvBBOe8b+qJs+MAhh9/rG+zmbDbjV5ygzlVdl/7oxYslLjbz | ||||
| GbT+Iv57BC/kH2OIv+78BxmYmkQOKPhCNQP/Z9Y4bP27wSjhVcOOXkq7pD0z | ||||
| Gd4bU703mfhUMD+1hAII9LJNPKOYcsspHq1kc7LA2oycTIUcbbgKxlWpBIAW | ||||
| 5qFFwjJ3v4/y62Rl5cxQU0vvloOEyWzINxuyJBGBtbjVnRgUCIE1Mv81lcSp | ||||
| 3KTiJ/169mb2su1dyXqkVi75Br2cxPu0Nk/T4YlUIJIM+w8qDfGRa0Q7/iV2 | ||||
| kpRqr72aHcy+RuZQxVeC4gkaaTkXkmjnhLxjrJqpwaD6zezV7DAmT1vAJmkC | ||||
| wWWP2oig3xUFneDjgxoJS9UJun3tDyY4GEwgJWN1a8uaz1ZiHS8PB7OeZEUj | ||||
| xT41/ob20+vD0UvtX7+ezp2gN510QLbHpyDC8bsCBhC7yv13eGbb773SOfCC | ||||
| E1aT/tJEfCUbgmr/D2doApZyRQAA | ||||
| </back> | ||||
| </rfc> | </rfc> | |||
| End of changes. 80 change blocks. | ||||
| 676 lines changed or deleted | 356 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||