It appears that Philip Homburg <[email protected]> said: >What I mean is that if we take all of the standards track DNSSEC RFCs and we >add a new RFC that says something to the effect: >1) A signer MUST NOT sign a DS or DNSKEY RRset if the set has duplicate key > tags. >2) An authoritative DNS server MUST not serve a set of RRSIG records that > corresponds to a single RRset where the collection of RRSIG records has a > duplicate key tag. > >then as far as I can tell, there is no conflict with currently published >standards track DNSSEC RFCs.
Not at all. This would be an incompatible change that breaks existing working DNS configurations, for at most a trivial simplification in load limiting code many years from now, even assuming people were to implement it. No. Just plain no. R's, John _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
