Matthew Pounsett <[email protected]> wrote: > > What are the implications for NSEC3, given that both (current) algorithm > numbers rely on SHA-1?
In NSEC3, SHA-1 is used for hashing domain names, which do not have enough space to fit a collision attack. Even so, RFC 5155 has a lot of contingency options for dealing with collisions; for instance, if a zone update adds a name that collides, the NSEC3 chain can be re-generated using a different salt. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ oppose all forms of entrenched privilege and inequality _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
