On 26 Jul 2018, at 9:43, Ondřej Surý wrote:
On 26 Jul 2018, at 18:40, Wessels, Duane <dwess...@verisign.com>
wrote:
Ondrej,
Thanks, I think thats a fair point. I was of course hoping to not
create yet another IANA registry.
If the ZONEMD RR included a count of records as suggested by Paul
Wouters would you then be comfortable
just using the DS hash algorithms?
That’s probably question you need to ask some cryptographer, so take
my opinion with a grain of salt.
If <n> is the number of ZONEMD-covered records, then the probability
of collision attack gets higher. So, unless
I am mistaken, the delegation heavy zones would be especially
susceptible to a collision attack. Does it make
sense?
If the ZONEMD record is signed, the only person who can mount a
collision attack is the zone owner themselves. If the ZONEMD record is
unsigned, an attacker can just remove it.
What is the attack you are envisioning?
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop