On 08/07/2025 16:23, John R Levine wrote:
On Tue, 8 Jul 2025, Paul Wouters wrote:
A better solution would be for resolvers to detect when they are under
keytag DoS, and then take counter measures - not for the protocol to
be changed and made more complicated.
Exactly. Malicious (or I suppose buggy) signers can publish colliding
keytags, so resolvers have to defend against it. Changing the spec
won't change that.
This is part of computational attacks and resolvers currently defend
against it in various ways.
Various ways that could give resolution inconsistencies between
implementations (I am not considering the actual attack scenario because
noone cares about that resolution).
That is why this draft could give definitive advice on how to deal with
key collisions IMHO.
Best regards,
-- Yorgos
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
