Re: [DNSOP] [Ext] About key tags

It appears that Shumon Huque said: >Yes, I agree. (Banning keytag collisions, if we are proposing that, is a >protocol change.) > >Not also that DNSKEY set "coherency" is not really the issue. Even for a >single signer they may be temporarily incoherent across nameservers because >of normal

Re: [DNSOP] [Ext] About key tags

On Sat, Mar 2, 2024 at 3:57 PM Peter Thomassen wrote: > > On 3/1/24 14:44, Philip Homburg wrote: > >> Seriously, while I do believe in the need for a coherent DNSKEY > >> resource record set, there are some multi-signer proposals that do > >> not. If the key set has to be coherent, then someone

Re: [DNSOP] [Ext] About key tags

On Sat, 2 Mar 2024, Peter Thomassen wrote: On 2/29/24 18:06, Paul Wouters wrote:  (If no action is taken, malicious activity might follow now that it is described, but I have not heard of a historical case of it.) This attack was more or less described five year ago:

Re: [DNSOP] [Ext] About key tags

On 2/29/24 18:06, Paul Wouters wrote:  (If no action is taken, malicious activity might follow now that it is described, but I have not heard of a historical case of it.) This attack was more or less described five year ago: https://essay.utwente.nl/78777/

Re: [DNSOP] [Ext] About key tags

On 3/1/24 14:44, Philip Homburg wrote: Seriously, while I do believe in the need for a coherent DNSKEY resource record set, there are some multi-signer proposals that do not. If the key set has to be coherent, then someone can guard against two keys being published with the same key tag.

[DNSOP] draft-crocker-dnsop-dnssec-algorithm-lifecycle-00

This short Internet-Draft may be of interest to the people on this mail list. Russ > A new version of Internet-Draft > draft-crocker-dnsop-dnssec-algorithm-lifecycle-00.txt has been successfully > submitted by Russ Housley and posted to the > IETF repository. > > Name: