> If a validator chooses to discard all signatures for which there > are multiple DNSKEY resource records matching the key tab in the > RRSIG resource record, there'll be SERVFAILs across the population > that cares about the data involved. From past observations, when > there's a widespread "I can't get to that", it bubbles up to the > service provider and then take steps to fix it.
I don't think that would fly. If the major vendors of validating software together the big public resolvers would come together and announce a flag day where after that day key tags would have to be unique or SERVFAIL would be the result, then that would put a sizable group of people in a very bad position. If it was that easy, then we would not have this discussion, then we could just publish an update to DNSSEC that requires key tags to be unique. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
