--On 22 February 2010 09:05:47 -0800 Eric Rescorla <[email protected]> wrote:
On Mon, Feb 22, 2010 at 8:52 AM, Roy Arends <[email protected]> wrote:
On Feb 22, 2010, at 11:12 AM, Evan Hunt wrote:
Alex Bligh wrote:
Using NSEC instead of NSEC3 because you fear SHA1 collisions does not
seem sensible ... And it isn't sensible to suggest
users worry about it. If we are going to mention it, it should be
in security considerations, saying NSEC3 is dependent upon certain
properties of its hash algorithm (I forget now whether it is
collision resistance, pre-image resistance or or what), but this
should also point out the whole of DNSSEC is predicated on similar
qualities.
+1 except for the "if". It is mathematically possible for collisions
to occur with one approach and not the other, and it would be
irresponsible not to make note of the fact, even if we agree that the
chances of this occurring in nature are negligible.
This is absurd. If we're going to do this, I'd like the security
considerations to reflect all of the non-zero probabilities of errors
occuring
...
Drunk Sysadmins, Rouge Registrar, etc, etc.
I'm sure that it will be a very large section.
Precisely.
I realize it's hard to grasp precisely how small the statistical
chances of a collision are, but they are just unbelievably small.
Acting as if it is something that might actually happen just makes
you look silly.
I agree entirely. However, it does seem that there is a recurrent
view that hash collisions are a risk worth discussing (hence this
thread). My use of the words "if we are going to mention it" was
more to quantify the probability of the problem that to say
people should be worrying about it; if we don't quantify it,
people seem to think it's worth worrying about, which I would
suggest it is not. I am equally happy with a security considerations
section that says in essence "if SHA-1 breaks then NSEC3 breaks,
but then so does the rest of DNSSEC" as not mentioning it. What
we shouldn't be doing is suggesting users should use this as
a decision criterion between NSEC and NSEC3. There are plenty
of reasons not to use NSEC3 (and to use it) way more signficant
than the 10^-(large number) problem. I think it is much smaller
than one in a trillion, by the way. I seem to remember it is
smaller than one in (number of atoms in universe squared).
--
Alex Bligh
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
