[Dnssec-deployment] Why not NSEC3?
Ed.Lewis at neustar.biz
Sun Jul 11 13:20:31 EDT 2010
At 14:41 +0200 7/11/10, Olaf Kolkman wrote:
>Hmmm, with a disclaimer that I haven't done the math [*]: Aren't the odds
>that using the RFC4771 mechanism a collision takes place not of the same
>order as the fraction of the size of the namespace that is covered
>(somewhere around 2^-250 or so, since you have to cover both the wildcard
>and the query name?).
>[*] I asked Paul, the octopus in Germany who is an authority on odds :-)
When I started this thread, I should have said "why not nsec3 for
biz" and not the more general subject line.
What I learned earlier this year from Eric Rescorla messages - the
chances of a cryptographic mishap of any kind (e.g., relating to
private keys generating enough information that they can be
discovered) is negligible in just about all cases. And that
operational headaches far outweigh mathematically created ones.
Basically for us, since we didn't any of the main drivers for NSEC3
use as a requirement, we opted for the route that avoided us ever
having to answer the question of "why did I get
'ksiveHenr294n94...biz NSEC3 lei394nvu49ht...biz' in the authority
And, with all of the hypertension I get from DNS, I wanted to limited
my use of salt. (Ha ha.)
NeuStar You can leave a voice message at +1-571-434-5468
The World Cup would be more fun if they didn't interrupt it with soccer games.
More information about the Dnssec-deployment