On Feb 27, 2024, at 17:48, Mark Andrews <ma...@isc.org> wrote: > > If you forbid in the protocol
But part of this is not “in” the protocol. Eg if two dns hosters happen to arrive at the same key tag for a single zone in concurrent offline ways. Or if that happens when KSK and ZSK are managed differently. Your earlier email on what human operators must do to prevent this isn’t really automated. > Colliding key tags are a force multiplier when > trying to DoS a validating resolver. There are various defence mechanisms, like a longer negative cache for colliding keytag domains, so that the cost isn’t a simple 3x Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
