On Feb 11 2014, David Newman wrote: [...]
That's interesting. It seems to contradict Lucas' advice to "always use '1 0 10' for these [NSEC3] flags, as fewer aren't secure enough and more aren't any more secure."
It's difficult to see how that can make sense. Increasing the number of iterations simply gives a linear increase in the computational cost of testing names against NSEC3s (and the same factor in the overheads in authoritative and validating nameservers, of course). Moore's law wipes out a factor of 10 before very long ... It's not often mentioned, incidentally, that using more iterations increases the probability of a collision. Of course, it's pretty damn small to begin with, so that doesn't really matter. But the algorithm, described in RFC 5155 section 5, could have been better designed from that point of view. -- Chris Thompson Email: c...@cam.ac.uk _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users