On 3/1/24 14:44, Philip Homburg wrote:
Seriously, while I do believe in the need for a coherent DNSKEY
resource record set, there are some multi-signer proposals that do
not. If the key set has to be coherent, then someone can guard
against two keys being published with the same key tag. The recovery
may not be easy as you'd have to determine what key needs to be
kicked and who does it and where (physically in HSMs or process-wise).
I have some doubt that key tag collisions can be entirely avoided.
So now we moved the problem away from the core DNSSEC protocols to the
realm of multi signer protocols.
The core DNSSEC protocol includes multi-signer. RFC 8901 just spells out
explicitly how it is covered by the protocol; that's why its status is
Informational.
The first step to conclude is that for the core DNSSEC protocol, requiring
unique key tags is doable.
No. There is no core and non-core part of the spec. Support for multiple keys,
including keytag collisions, simply is part of that protocol.
(And of course, bounding work is part of the protocol just as well.)
Peter
--
https://desec.io/
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
