Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.

[Roy Arends <roy@dnss.ec>]

On Feb 22, 2010, at 4:44 AM, W.C.A. Wijngaards wrote:

> On 02/22/2010 04:53 AM, Roy Arends wrote:
>> On Feb 21, 2010, at 7:22 PM, Mark Andrews wrote:
>> 
>>> NSEC3
>>> has a non zero false positive rate due to the fact that the names
>>> are hashed.
>> 
>> Are you going on again about the possibility of hash collisions is SHA-1? 
> 
> Yes.  +1 for Marks point.
> 
> The deployment of NSEC3-signed toplevel domains is a giant hash
> collision test of typo dictionaries.

Not really, most (will) use Opt-Out.

> What does the registry do when
> someone registers a new domain name that has a hash-collision

We'll claim that sha-1 is broken, write a paper on it and have our 15 minutes of fame. Meanwhile... 

In the real world, if someone registers the name 759345ihkjgrj345837458fjfgiusifghgvtsrhf8hfvihi.co.uk and its hash collides with example.co.uk (lets skip the probability factor), than its just gotten a bit more efficient. One hash matching 2 names, i.e. we can now deny two names for the price of one. 

The real problem is that a SHA1 hash collision would render all signatures with RSASHA1 vulnerable. Haven't heard you about that. 

I suggest that if you and Andrews want to have this claim rfc4641bis, you should not discriminate on NSEC3, but on everything that uses SHA1.

> (resign
> with a new salt, and also keep that 2-second update guarantee? - I would
> suggest some weasel words in agreements).

Nah, we love collisions, it makes it all so more efficient. Besides, I think the probability of finding a bug in authoritative server software is way higher than a hash-collision.

> But I agree more pertinent to choice is the increased CPU demand and
> larger packets when using NSEC3.  And opt-out, obfuscation desiderata.

All FUD.

Roy