On Sun, Sep 9, 2018 at 2:30 PM Anand Buddhdev <ana...@ripe.net> wrote:
> On 09/09/2018 19:51, Mark Elkins wrote: > > > Never assume a KeyID is unique. :-) > > One of the DNSSEC RFCs specifically says that the KeyID is not meant to > be unique. I can't remember which one, and it's too late on a Sunday > evening to be reading RFCs :) > You are thinking of RFC4034, Section 8. Security Considerations: The key tag is used to help select DNSKEY resource records efficiently, but it does not uniquely identify a single DNSKEY resource record. It is possible for two distinct DNSKEY RRs to have the same owner name, the same algorithm type, and the same key tag. An implementation that uses only the key tag to select a DNSKEY RR might select the wrong public key in some circumstances. Please see Appendix B for further details. > > Even then, I've had the misfortune of dealing with a vendor whose > developers didn't read the RFCs properly, and designed their key store > using the key IDs as indexes. So one fine day, we had a zone signed with > one key, but the DS record came from another key. Boom. Yuck. What a > mess it was to sort out! > > Oooh, that sounds like fun to debug.... W > Regards, > Anand > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
