-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/22/2010 04:53 AM, Roy Arends wrote: > On Feb 21, 2010, at 7:22 PM, Mark Andrews wrote: > >> NSEC3 >> has a non zero false positive rate due to the fact that the names >> are hashed. > > Are you going on again about the possibility of hash collisions is SHA-1?
Yes. +1 for Marks point. The deployment of NSEC3-signed toplevel domains is a giant hash collision test of typo dictionaries. What does the registry do when someone registers a new domain name that has a hash-collision (resign with a new salt, and also keep that 2-second update guarantee? - I would suggest some weasel words in agreements). But I agree more pertinent to choice is the increased CPU demand and larger packets when using NSEC3. And opt-out, obfuscation desiderata. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkuCUegACgkQkDLqNwOhpPj3iQCgjlOEE8nJFUfj42DDFV3BOrn7 CkUAnjSpyN/UgQrUW0n7X3bq9VxdD763 =K2rl -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
