[Dnssec-deployment] Why not NSEC3?
bert.hubert at netherlabs.nl
Mon Jul 12 02:46:30 EDT 2010
On Sun, Jul 11, 2010 at 02:41:04PM +0200, Olaf Kolkman wrote:
> Hmmm, with a disclaimer that I haven't done the math [*]: Aren't the odds
> that using the RFC4771 mechanism a collision takes place not of the same
> order as the fraction of the size of the namespace that is covered
> (somewhere around 2^-250 or so, since you have to cover both the wildcard
> and the query name?).
Integrity Transform Carrying Roll-Over Counter
for the Secure Real-time Transport Protocol (SRTP)
In any case, it is intuitive to me that one can just increase a 160 bit hash
by 1 and have a very very remote chance of actually overlapping with
something - without checking the data store.
In the NSEC realm, this is by far not as straight forward.
> [*] I asked Paul, the octopus in Germany who is an authority on odds :-)
I hear he will soon be part of a Paella.
More information about the Dnssec-deployment