On Mon, 14 Jul 2025, Warren Kumari wrote:
We could say that signers MUST NOT create colliding key tags, and that verifiers and similar tooling must continue to work as they currently do.
If you really want to do this bad idea, the least bad way to do it which I think someone already suggested is to invent new security algorithm numbers which are the same as existing ones but with the no collision rule. Then resolvers can reject those signatures after one collision rather than after two or three as they do now.
This adds more code to the camel and has no practical benefit beyond what you already have if you dedup the keys you create, but people seem to feel otherwise.
My only tiny demand is that at the same time we create new CNAME5 and DNAME5 RRTYPEs which are exactly the same as CNAME and DNAME, but fail if the chain is more than five long. The same cost and benefit arguments apply.
R's, John _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
