IETF Logo Mail Archive

Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.

Mark Andrews <marka@isc.org> Tue, 23 February 2010 00:14 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9ED0628C47E for <dnsop@core3.amsl.com>; Mon, 22 Feb 2010 16:14:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.688
X-Spam-Level:
X-Spam-Status: No, score=-4.688 tagged_above=-999 required=5 tests=[AWL=1.911, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3J99t9eY1Hup for <dnsop@core3.amsl.com>; Mon, 22 Feb 2010 16:14:32 -0800 (PST)
Received: from farside.isc.org (farside.isc.org [204.152.187.5]) by core3.amsl.com (Postfix) with ESMTP id 6B0413A8423 for <dnsop@ietf.org>; Mon, 22 Feb 2010 16:14:32 -0800 (PST)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified)) by farside.isc.org (Postfix) with ESMTP id D264AE60B8; Tue, 23 Feb 2010 00:13:13 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id o1N0D4rM068005; Tue, 23 Feb 2010 11:13:05 +1100 (EST) (envelope-from marka@drugs.dv.isc.org)
Message-Id: <201002230013.o1N0D4rM068005@drugs.dv.isc.org>
To: Andrew Sullivan <ajs@shinkuro.com>
From: Mark Andrews <marka@isc.org>
References: <24C8A8E2A81760E31D4CDE4A@Ximines.local> <8E6C64ED-A336-4E8B-996F-9FB471EB07C6@NLnetLabs.nl> <4B7FE58C.5030605@ogud.com> <20100220202751.GB54720@shinkuro.com> <20100220213133.GE2477@isc.org> <4B807DC0.9050807@ogud.com> <315AD36E-879A-4512-A6A8-B64372E3D3CF@sinodun.com> <201002220022.o1M0M3qR048760@drugs.dv.isc.org> <d3aa5d01002212013x50993902xa8be099c09aefd16@mail.gmail.com> <20100222161758.GF2228@dul1mcmlarson-l1-2.local> <20100222185157.GO64954@shinkuro.com>
In-reply-to: Your message of "Mon, 22 Feb 2010 13:51:57 CDT." <20100222185157.GO64954@shinkuro.com>
Date: Tue, 23 Feb 2010 11:13:04 +1100
Sender: marka@isc.org
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2010 00:14:33 -0000

In message <20100222185157.GO64954@shinkuro.com>, Andrew Sullivan writes:
> On Mon, Feb 22, 2010 at 11:17:59AM -0500, Matt Larson wrote:
> 
> >   I am adamantly opposed to including
> > any text about SHA1 hash collisions in an NSEC3 context.
> 
> Add me to the choir.  Actually, I'm opposed to including any text
> about SHA-1 hash collisions in _any_ DNSSEC context until we write the
> document, "Deprecating SHA-1 hash functions for DNSSEC".  

SHA256 and SHA512 have the same problem, just with different probabilities
of collisions.  The problem is that one is using a hash, not the strength
of the hash.

> A
> 
> -- 
> Andrew Sullivan
> ajs@shinkuro.com
> Shinkuro, Inc.
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email