<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
</head><body bgcolor="#FFFFFF" text="#000000"><br>
<br>
<blockquote style="border: 0px none;"
cite="mid:Pine.LNX.4.53.1411281603230.21157@flame.m3047.net" type="cite">
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="m3047@m3047.net" photoname="Fred Morris"
src="cid:part1.02040707.05070607@redbarn.org"
name="compose-unknown-contact.jpg" height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true" href="mailto:m3047@m3047.net"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Fred Morris</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">Friday, November
28, 2014 3:07 PM</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody"><div><!----><br>... is not
mathematically necessary. As a simple counterexample, XOR is<br>commutative
and associative: it doesn't matter the order you XOR multiple<br>blocks
in. Not saying XOR is the One True Way, just that implementation<br>details
like that are probably a distraction at this point.<br>
</div></div>
</blockquote>
<br>
any zone-level signature has to be crypto-authentic. XOR is too easy to
"fix up", as in, add or delete your desired changes, compare the new
checksum to the old one, then add a TXT RR that causes the new checksum
to match the old one.<br>
<br>
so, i'm not in favour of zone-level signatures per se, but if they're
coming, then marka@isc's characterization of them as "sorting and
hashing" is mathematically nec'y.<br>
<br>
<div class="moz-signature">-- <br>Paul Vixie<br>
</div>
</body></html>