On Wed, 28 Feb 2024, libor.peltan wrote:
Dne 27. 02. 24 v 21:24 John Levine napsal(a):
The total number of domains where I found duplicate tags was 105.
As I said earlier, is while I appreciate such research, I warn against
misinterpreting it. The main point isn't about the zones that are currently
experiencing a keytag-conflict; it's about the zones where there is a
potential threat that they might do tomorrow (considering the case when many
mainstream validating resolvers would start enforcing strong
keytag-conflict-intolerance).
Sure, but my point is that you don't need to overthink this. If your
cache stops when it sees 8 or even 5 colliding IDs or signatures, the
chance that you will fail any real queries is vanishingly small. You can
mitigate the problem without any complicated thread or schedule management
or protocol changes. You'll still handle the real cases where a few IDs
collide by accident.
In retrospect it would have been a good idea to pick a less lame checksum
but I suppose if it's good enough for TCP, it's good enough for DNSSEC.
Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
