In your letter dated 1 Dec 2025 12:09:19 -0500 you wrote:
I don't see how that follows. If we do nothing, resolvers will have to check
for
keytag collisions, and stop after 2 or 3 collisions. If we make this change,
resolvers
will still have to check for collisions, and perhaps at some time in the futur
e they can stop after 1 collision.
If we make a change now (in requirements for signing) then in some number of
years validators can reject DNSKEY RRsets that have key tag collisions or
at least strongly limit the number of such sets that are accepted. Validators
can also reject RRSIG sets that have multiple RRSIGs with the same
key tag or even just give up after a signle RRSIG fails to validate.
Sounds like we agree, except for the detail of how much easier it is to
stop after one collision than 2 or 3. Since the code for 2 or 3 already
exists (see below) that doesn't strike me as very persuasive.
The main thing is, validators will move in that direction anyhow, whether
or not we publish an RFC. It will just be implicit knowledge that you
need to know when writing a DNSSEC signer.
Sounds like we agree that we need better documentation of the practical
limits. Trying to change the limits on the fly only makes that harder.
R's,
John
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
