On Jul 8, 2025, at 03:27, Libor Peltan <libor.peltan=40nic...@dmarc.ietf.org> wrote: > > > I think that having DNSSEC non-BOGUS 100% of the time is critical at least > for important zones (like TLDs).
> AFAIK the current state is that the _specification_ allows the atuhoritatives > to publish DNSKEYs with any number of konflicting keytags and the validating > resolvers MUST(?) accept those; Yes. > while in _reality_ the resolvers started to impose some limitations. Which resolvers ? How did they break the RFC? > This dicrepancy between specification and reality should be fixed by us. Us being the spec or the implementations ? ;) > I suggest something like: "resolvers MUST accept two keytag-conflicting keys > within *each* DNSKEY RRset they are validating" This is already the case. > and "authoritatives MAY publish DNSKEY with at most two keytag-conflicting > keys" This is already basically the case. If you follow the below requirement. > and "authoritatives SHOULD do best effort to avoid keytag conflicts whenever > possible". This might not be specified but in practise is already the case. Some DPS statements might have language here (and when reviewing the ICANN DPS/source code, I pointed out they should add some checks for this and create a different new key if there was a keytag collision) Note that your proposed requirements are not always easy to implement, for example in the root where the KSK and ZSK are independently managed. A better solution would be for resolvers to detect when they are under keytag DoS, and then take counter measures - not for the protocol to be changed and made more complicated. Paul > > Libor > >> On 08. 07. 25 8:49, Peter Thomassen wrote: >> >> >>> On 7/8/25 02:17, John Levine wrote: >>> It appears that Shumon Huque <shu...@gmail.com> said: >>>> Please review the draft and speak up if you have comments, and would like >>>> to see this draft adopted (or not). >>> >>> I don't hate the draft but since we have been living with colliding tags >>> for two >>> decades and experience shows that collisions of more than two tags never >>> appear >>> unless maliciously created, this doesn't strike me as a good use of our >>> time. >>> >>> Just add "more than two colliding tags" to the long list of limits in DNS >>> resolvers and we can work on something else. >> >> +1 >> >> Peter >> >> _______________________________________________ >> DNSOP mailing list -- dnsop@ietf.org >> To unsubscribe send an email to dnsop-le...@ietf.org > > _______________________________________________ > DNSOP mailing list -- dnsop@ietf.org > To unsubscribe send an email to dnsop-le...@ietf.org _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
