> Fred Morris <mailto:[email protected]> > Friday, November 28, 2014 3:07 PM > > ... is not mathematically necessary. As a simple counterexample, XOR is > commutative and associative: it doesn't matter the order you XOR multiple > blocks in. Not saying XOR is the One True Way, just that implementation > details like that are probably a distraction at this point.
any zone-level signature has to be crypto-authentic. XOR is too easy to "fix up", as in, add or delete your desired changes, compare the new checksum to the old one, then add a TXT RR that causes the new checksum to match the old one. so, i'm not in favour of zone-level signatures per se, but if they're coming, then marka@isc's characterization of them as "sorting and hashing" is mathematically nec'y. -- Paul Vixie
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
