On 09/09/2018 18:51, Mark Elkins wrote:
> Just for the record, although I do look from a curiosity point of view
> for Identical Key ID's once every few month - I've never seen them -
> until now.
> 
> Now I have them - generated by BIND within a few days of each other...
>
> I've been running DNSSEC for 7 years and have around 400 DNSSEC keys for
> 133 signed Domains.
> I'm a smallish Registrar for ZA domains.
> 
> Never assume a KeyID is unique.  :-)

It's inevitable that they won't be.

With only a 16 bit key tag space (and in 2016 Roy Arends discovered that
the effective space is only 15 bits) then due to the birthday collision
paradox you only need of the order of sqrt(32k) different keys to get a
50% chance of a collision.

Ray

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to