Alternative way to estimate total size of NSEC3 chain

[pspacek]

It's impossible for NSEC zones, but there is a neat and super-fast trick for NSEC3-signed zones!

https://blog.apnic.net/2017/03/10/surprising-connection-hyperloglog-dnssec-nsec3/

C++ implementation:
https://github.com/ahupowerdns/pdns/blob/dnssecmeasure/pdns/dnssecmeasure.cc

[pspacek]

(Needless to say that this would enable nice progress bar for NSEC3-signed zones.)

[anonion0]

We did something similar to this all the way back in 2011/2012, when nsec3map was initially written.

Our approach was to simply extrapolate the size of the NSEC3 chain by looking at the ratio of number of records / total hash distance covered. The difficulty was simply accounting for the sampling bias that (partial) NSEC3 enumeration produces (it doesn't produce a random sample because it tends to find records that cover a larger hash distance sooner).
I can't remember the exact math now (it's been a while), but it's probably described in our original paper.
It's implemented in the -p/--predict option.

(Needless to say that this would enable nice progress bar for NSEC3-signed zones.)

This is precisely what the -p option already does :)

[pspacek]

I'm sorry for the noise, I don't know how I did miss that 🤦

[anonion0]

No worries.
I'm going to leave this issue open until I've had a chance to compare the cited approach to ours.