Mark Elkins <m...@posix.co.za> wrote:
> Never assume a KeyID is unique. :-)
Good tools ensure that key IDs are unique per zone. For example, if you
keep generating keys for a zone with `dnssec-keygen` it will eventually
get into an infinite loop perpetually generating colliding keys!
Apart from the footgun that Anand described, the reason for keeping key
IDs unique per zone is so that a validator can quickly skip keys that
can't possibly match an RRSIG or DS record.
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
Tyne, Dogger, Fisher: Southwest 5 to 7. Slight or moderate in Tyne, otherwise
moderate or rough. Showers then rain. Good, occasionally poor.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
