In message <fd83b7a9-583c-4e6c-9301-414d043db...@dnss.ec>, Roy Arends writes: > On Feb 22, 2010, at 11:12 AM, Evan Hunt wrote: > > >> Using NSEC instead of NSEC3 because you fear SHA1 collisions does not > >> seem sensible, as if you fear SHA1 collisions, you have other more > >> significant problems with DNSSEC to worry about, and thus this is > >> not, in my opinion, reasonable. And it isn't sensible to suggest > >> users worry about it. If we are going to mention it, it should be > >> in security considerations, saying NSEC3 is dependent upon certain > >> properties of its hash algorithm (I forget now whether it is > >> collision resistance, pre-image resistance or or what), but this > >> should also point out the whole of DNSSEC is predicated on similar > >> qualities. > > > > +1 except for the "if". It is mathematically possible for collisions to > > occur with one approach and not the other, and it would be irresponsible > > not to make note of the fact, even if we agree that the chances of this > > occurring in nature are negligible. > > This is absurd. If we're going to do this, I'd like the security consideratio > ns to reflect all of the non-zero probabilities of errors occuring (those tha > t have a higher probability). This includes software-bugs, hardware-bugs, pro > bability of advances in factorization, randomness of PRNG for DNSKEYs, faulty > calibration/low granularity of equipment measuring the transition between th > e two hyperfine levels of the ground state of the caesium 133 atom. Gravitati > onal Sphere of Influence of the 99942 Apophis on the Gravitational orbit of G > PS satelites (Still having a higher probability than hash-collisions ;-)), Dr > unk Sysadmins, Rouge Registrar, etc, etc. > > I'm sure that it will be a very large section.
Apart from the slightly higher risk of software bugs because NSEC3 is more complicated. The other items have no impact of the decision to choose between NSEC and NSEC3 and as such are irrelevent. > Roy > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
