[dnssec-deployment] Dnssec Impact reporting: Authorative servers (draft 0.5)

Ólafur Guðmundsson ogud at ogud.com
Fri Jun 17 12:26:19 EDT 2005 

After writing this message I realized that most of this text is
"my requirements for a scrambled zone".
Scott, can you make a statement if your tool complies to these
requirements or what the differences are?


At 14:04 16/06/2005, Jaap Akkerhuis wrote:
>Olafur,
>
>     Any chance a randomized snapshot of NL be made available as the
>     example Delegation-only zone for measurements?
>
>Maybe we should take this off-line later on. I'm not working for
>the dutch registry anymore, so it is more difficult then it used
>to be.
>
>The current NL zone is 1525021 domains 84Mb (at least today). That
>will fit your need? Do you want to do the randomizing yourself?
>What will you do with it? Maybe you have to sign a NDA. Anyway,
>I'll have to speak to the people first.

If Scott's tool does this and is simple to run then owners of the
zones can perform the scrambling them-self and check that no information
is leaking. If they prefer someone else do it, I'm sure I can find
someone to do it (including myself after signing any required legal
documents).


What I'm looking for is a large Delegation mainly zone(s).
What a large zone gives us is scaling factors, whether the zone is
500K or 1.5M domains does not make a difference, the difference between
1K and 5M on the other hand is huge.
What I would like from scrambled zone is a zone that has the same
characteristics as the original in following regards:
         same size as original
         same name length distribution
         same glue factor
         same distribution of NS sets size

The 4 letter and shorter names are hard to scramble due to the fact in
a large zone like NL high percentage of letter digit combinations are taken,
but reserved names should help.

Example of input:
$ORIGIN xxx.
@       SOA .... [44 bytes rdata]
         NS <4 records, 12, 13, 12, 12 bytes, 2 in zone 2 outside>

a       NS <2 records 24, 23 bytes outsize xxx>

bb      NS <3 records 14, 10, 20 bytes one in b.xxx>
ns1.bb.xxx. A   67.32.32.52

Amsterdam-red-light     NS      <2 records 14, 14 letters long>


Example of scrambled zone for same records:
$ORIGIN 123.
@       SOA .... [44 bytes rdata]
         NS <4 records 12, 13, 12, 12 bytes 2 inside 123 zone>

p       NS <2 records 24, 23, bytes outside 123>

re      NS <3 records 14, 10, 20 bytes one in re.123.
1e3.re  A       127.32.32.52

just-another-name-1     NS      <2 records 14, 14 letters long>

         Olafur

More information about the Dnssec-deployment mailing list