[Dnssec-deployment] Why not NSEC3?
Olaf Kolkman
olaf at NLnetLabs.nl
Sat Jul 10 09:02:03 EDT 2010
On Jul 9, 2010, at 10:44 PM, Paul Vixie wrote:
>> NSEC3 is fine approach if you need to make use of its features. But by
>> comparison NSEC is easier to manage and troubleshoot.
>
> kaminsky reminded me recently that white lies are way easier with NSEC3
> than with NSEC. H(x)-1 and H(x)+1 are easier to calc than x-1 and x+1
> where 'x' is the qname. so, there may be apps for NSEC3 other than where
> the overall complexity is warranted or feature level is needed.
Is that because a hash is an available library function and once hashed swapping a bit is easy?
--Olaf
________________________________________________________
Olaf M. Kolkman NLnet Labs
Science Park 140,
http://www.nlnetlabs.nl/ 1098 XG Amsterdam
More information about the Dnssec-deployment
mailing list