IETF Logo Mail Archive

Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.

Evan Hunt <each@isc.org> Mon, 22 February 2010 16:15 UTC

Return-Path: <each@isc.org>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0CE153A7E9B for <dnsop@core3.amsl.com>; Mon, 22 Feb 2010 08:15:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.599
X-Spam-Level:
X-Spam-Status: No, score=-4.599 tagged_above=-999 required=5 tests=[AWL=2.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o-NFxGmg-UHO for <dnsop@core3.amsl.com>; Mon, 22 Feb 2010 08:14:09 -0800 (PST)
Received: from farside.isc.org (farside.isc.org [204.152.187.5]) by core3.amsl.com (Postfix) with ESMTP id 48A463A6FF9 for <dnsop@ietf.org>; Mon, 22 Feb 2010 08:14:09 -0800 (PST)
Received: by farside.isc.org (Postfix, from userid 10292) id C65B0E60B8; Mon, 22 Feb 2010 16:12:51 +0000 (UTC)
Date: Mon, 22 Feb 2010 16:12:51 +0000
From: Evan Hunt <each@isc.org>
To: Alex Bligh <alex@alex.org.uk>
Message-ID: <20100222161251.GA99592@isc.org>
References: <20100220202751.GB54720@shinkuro.com> <20100220213133.GE2477@isc.org> <4B807DC0.9050807@ogud.com> <315AD36E-879A-4512-A6A8-B64372E3D3CF@sinodun.com> <201002220022.o1M0M3qR048760@drugs.dv.isc.org> <A8EB3AAE-0DA6-4C4E-B2D1-E548884F63D5@dnss.ec> <4B8251E9.70904@nlnetlabs.nl> <699B9362-B927-4148-B79E-2AEB6D713BE8@dnss.ec> <4B82897F.7080000@nlnetlabs.nl> <9C97F5BFBD540A6242622CC7@Ximines.local>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <9C97F5BFBD540A6242622CC7@Ximines.local>
User-Agent: Mutt/1.4.2.3i
Cc: dnsop@ietf.org, "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>
Subject: Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Feb 2010 16:15:10 -0000

> Using NSEC instead of NSEC3 because you fear SHA1 collisions does not
> seem sensible, as if you fear SHA1 collisions, you have other more
> significant problems with DNSSEC to worry about, and thus this is
> not, in my opinion, reasonable. And it isn't sensible to suggest
> users worry about it. If we are going to mention it, it should be
> in security considerations, saying NSEC3 is dependent upon certain
> properties of its hash algorithm (I forget now whether it is
> collision resistance, pre-image resistance or or what), but this
> should also point out the whole of DNSSEC is predicated on similar
> qualities.

+1 except for the "if".  It is mathematically possible for collisions to
occur with one approach and not the other, and it would be irresponsible
not to make note of the fact, even if we agree that the chances of this
occurring in nature are negligible.

-- 
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.

v2.23.0 | Report a Bug | By Email