IETF Logo Mail Archive

Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.

Paul Wouters <paul@xelerance.com> Tue, 23 February 2010 21:38 UTC

Return-Path: <paul@xelerance.com>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 259CE28C0DE for <dnsop@core3.amsl.com>; Tue, 23 Feb 2010 13:38:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.544
X-Spam-Level:
X-Spam-Status: No, score=-2.544 tagged_above=-999 required=5 tests=[AWL=0.055, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PYpm7JVujamo for <dnsop@core3.amsl.com>; Tue, 23 Feb 2010 13:38:40 -0800 (PST)
Received: from newtla.xelerance.com (newtla.xelerance.com [193.110.157.143]) by core3.amsl.com (Postfix) with ESMTP id 4D9CC28C332 for <dnsop@ietf.org>; Tue, 23 Feb 2010 13:38:40 -0800 (PST)
Received: from tla.xelerance.com (tla.xelerance.com [193.110.157.130]) by newtla.xelerance.com (Postfix) with ESMTP id A7604BFE7; Tue, 23 Feb 2010 16:40:43 -0500 (EST)
Date: Tue, 23 Feb 2010 16:40:43 -0500
From: Paul Wouters <paul@xelerance.com>
To: Doug Barton <dougb@dougbarton.us>
In-Reply-To: <4B844911.5010303@dougbarton.us>
Message-ID: <alpine.LFD.1.10.1002231638570.18920@newtla.xelerance.com>
References: <201002220022.o1M0M3qR048760@drugs.dv.isc.org> <A8EB3AAE-0DA6-4C4E-B2D1-E548884F63D5@dnss.ec> <4B8251E9.70904@nlnetlabs.nl> <699B9362-B927-4148-B79E-2AEB6D713BE8@dnss.ec> <4B82897F.7080000@nlnetlabs.nl> <9C97F5BFBD540A6242622CC7@Ximines.local> <20100222161251.GA99592@isc.org> <FD83B7A9-583C-4E6C-9301-414D043DBB08@dnss.ec> <20100222172325.GC99592@isc.org> <EC6B9B3F-4849-403D-B533-8CE6114575EA@dnss.ec> <20100222195938.GA13437@isc.org> <4B835DB6.5050203@dougbarton.us> <alpine.LFD.1.10.1002231041210.9909@newtla.xelerance.com> <4B844911.5010303@dougbarton.us>
User-Agent: Alpine 1.10 (LFD 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2010 21:38:41 -0000

On Tue, 23 Feb 2010, Doug Barton wrote:

> Because NSEC3 uses a hash function there is an unimaginably small chance
> that two different hostnames could produce the same hash output, and and
> even smaller chance that such a collision could be exploitable by an
> attacker. This issue SHOULD NOT be a factor in making an operational
> decision about which type of signing to use. See [RFC5155] for more
> information, including the relevant mathematical background.

4641bis is "DNSSEC Operational Practices". Why add something and then
immediatley say "SHOULD NOT be a factor"?

This is not Matlock :)

Paul

v2.23.0 | Report a Bug | By Email