On Tue, 23 Feb 2010, Doug Barton wrote:
Because NSEC3 uses a hash function there is an unimaginably small chance that two different hostnames could produce the same hash output, and and even smaller chance that such a collision could be exploitable by an attacker. This issue SHOULD NOT be a factor in making an operational decision about which type of signing to use. See [RFC5155] for more information, including the relevant mathematical background.
4641bis is "DNSSEC Operational Practices". Why add something and then immediatley say "SHOULD NOT be a factor"? This is not Matlock :) Paul _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
