[Dnssec-deployment] Why not NSEC3?
olaf at NLnetLabs.nl
Mon Jul 12 03:04:01 EDT 2010
On Jul 12, 2010, at 8:46 AM, bert hubert wrote:
> On Sun, Jul 11, 2010 at 02:41:04PM +0200, Olaf Kolkman wrote:
>> Hmmm, with a disclaimer that I haven't done the math [*]: Aren't the odds
>> that using the RFC4771 mechanism a collision takes place not of the same
>> order as the fraction of the size of the namespace that is covered
>> (somewhere around 2^-250 or so, since you have to cover both the wildcard
>> and the query name?).
> Integrity Transform Carrying Roll-Over Counter
> for the Secure Real-time Transport Protocol (SRTP)
> In any case, it is intuitive to me that one can just increase a 160 bit hash
> by 1 and have a very very remote chance of actually overlapping with
> something - without checking the data store.
> In the NSEC realm, this is by far not as straight forward.
It is not that I wanted to dispute all that but my original question was whether that lack of complexity was due to the fact that the hash algorithms were readily available library functions. Conceptually 4471 is also f(domainname)+-1 hence the question.
Olaf M. Kolkman NLnet Labs
Science Park 140,
http://www.nlnetlabs.nl/ 1098 XG Amsterdam
More information about the Dnssec-deployment