Hi,

I was wondering about RFC9276 which says: "SHOULD NOT use salt", while
RFC5155 section 7.1. says:

"If a hash collision is detected, then a new salt has to be chosen,
and the signing process restarted."

Now I know it is *very* unlikely to see a collision when signing a
zone, but is this perhaps the reason why the iterations count MUST be
0, while a salt SHOULD NOT be used, so that a salt remains legal to
use?

If so, it would be nice to mention that reason, maybe in an errata (if
extra explanation is allowed to be added in an errata).

Are there maybe other considerations why one is a MUST and the other a
SHOULD NOT?

Thanks,

        -Otto

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to