changing NSEC3 salt

Chris Thompson cet1 at cam.ac.uk
Wed Feb 12 13:17:46 UTC 2014


On Feb 11 2014, David Newman wrote:

[...]
>That's interesting. It seems to contradict Lucas' advice to "always use
>'1 0 10' for these [NSEC3] flags, as fewer aren't secure enough and more
>aren't any more secure."

It's difficult to see how that can make sense. Increasing the number of
iterations simply gives a linear increase in the computational cost of
testing names against NSEC3s (and the same factor in the overheads in
authoritative and validating nameservers, of course).

Moore's law wipes out a factor of 10 before very long ...

It's not often mentioned, incidentally, that using more iterations increases
the probability of a collision. Of course, it's pretty damn small to begin
with, so that doesn't really matter. But the algorithm, described in RFC 5155
section 5, could have been better designed from that point of view.

-- 
Chris Thompson
Email: cet1 at cam.ac.uk


More information about the bind-users mailing list