-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Roy,
On 02/22/2010 02:14 PM, Roy Arends wrote: > Nah, we love collisions, it makes it all so more efficient. Besides, > I think the probability of finding a bug in authoritative server > software is way higher than a hash-collision. Yes, I agree that it is very unlikely. (And I wouldn't mind a 2**-100 chance of bugs in my software :-) ). If there ever are multiple NSEC3-hash-algorithm choices, the 'hash collision' resistance is a factor. NSEC, by virtue of its design cannot have these hash collisions (but then it does not hash either). >> But I agree more pertinent to choice is the increased CPU demand >> and larger packets when using NSEC3. And opt-out, obfuscation >> desiderata. > > All FUD. I actually thought those were the choices, was I wrong in that assessment? SHA-1 hashes take time, and NSEC3 responses are larger (mostly because you need 3 records instead of 2 for the common case and the extra signature counts, not actually the NSEC3 itself is that much larger). I am not saying this makes NSEC3 a unchoosable option; but it is a tradeoff, and if you can use NSEC because you do not need the benefits of NSEC3, you should, because it'll drive down bandwidth and cpu usage (slightly) for everyone. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkuCiX8ACgkQkDLqNwOhpPhXxACeMb7HH57cvczT41QMopDfiAtj skMAoIOK83bylZ4x6VqRrB1FEoLkNvhs =1MC1 -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
