[Opendnssec-develop] getting rid of HSM callsfrom the communicator

Antoin Verschuren Antoin.Verschuren at sidn.nl
Thu Sep 10 11:02:19 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

With Roy's explanation, I also don't see any objections anymore, apart from the fact that advising to periodically changing your salt as BCP is less convincing if we ship all software with the same salt.
That's not a security issue however, but more an operational issue.

Antoin Verschuren

Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands

P: +31 26 3525500  F: +31 26 3525505  M: +31 6 23368970
mailto:antoin.verschuren at sidn.nl  xmpp:antoin at jabber.sidn.nl  http://www.sidn.nl/



> -----Original Message-----
> From: Roland van Rijswijk [mailto:roland.vanrijswijk at surfnet.nl]
> Sent: Thursday, September 10, 2009 12:10 PM
> To: Roy Arends
> Cc: Antoin Verschuren; Opendnssec-develop at lists.opendnssec.org
> Subject: Re: [Opendnssec-develop] getting rid of HSM callsfrom the
> communicator
> 
> Hi Roy,
> 
> Roy Arends wrote:
> > If it results in remarkably similar structures, the hash function is
> > broken, as each pre-image will be unique per fully qualified domain
> > name. Also the zone structure will not be influenced by the salt.
> >
> >> This - of course - doesn't hold if the FQDN is the input for the hash,
> >> but I haven't checked that, is that the case?
> >
> > That is the case
> 
> In that case I don't object anymore.
> 
> It should - however - be made clear to users what choices they have and
> what the tradeoffs are, so perhaps some lines about this in the
> documentation are in order ;-)
> 
> Cheers,
> 
> Roland
> 
> --
> -- Roland M. van Rijswijk
> -- SURFnet Middleware Services
> -- t: +31-30-2305388
> -- e: roland.vanrijswijk at surfnet.nl
-----BEGIN PGP SIGNATURE-----
Version: 9.6.3 (Build 3017)

wsBVAwUBSqjcuzqHrM883AgnAQjuKgf+L2VJQFI/sWzmUArShlsk2HBKdp+y/FEV
4DiJja8R1loZ588msZTFRSGd8Rx0naUEofF5Aof3X4WI3JSEwll8rVPuG6dY686B
M3Bgzygad4a5HGgFcQgXBVWwNNk5oPWt/Y3qqn6tos6ipxnjahfWjwdiEh381VMF
qU5qYA04d4TVZavwfM+VNgi8g7omc7tOuOnE1A+YGDaqh7C6iDbUn6Sm7P+Fjzl/
vS6KrOy8ZGaUqBJ05SJsiXY5tHbnH4FBO9n4MLUyPaT6oc9reG0TrP6qbsYsyylv
UZJRONDvJcohiYY7yYUbO9nPO4L0NF3sH9IJ8RhslmIDioFZlA4CqA==
=khTI
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list