[dns-operations] [Ext] Re: help with a resolution
Tony Finch
dot at dotat.at
Fri Jan 10 15:16:52 UTC 2020
Matthew Pounsett <matt at conundrum.com> wrote:
>
> What are the implications for NSEC3, given that both (current) algorithm
> numbers rely on SHA-1?
In NSEC3, SHA-1 is used for hashing domain names, which do not have enough
space to fit a collision attack. Even so, RFC 5155 has a lot of
contingency options for dealing with collisions; for instance, if a zone
update adds a name that collides, the NSEC3 chain can be re-generated
using a different salt.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
oppose all forms of entrenched privilege and inequality
More information about the dns-operations
mailing list