On Feb 14, 2024, at 01:39, Petr Špaček <pspa...@isc.org> wrote:
> In my mind this is good enough reason to outlaw keytag collisions - without 
> them it would be _much_ easier to implement reasonable limits without risk of 
> breaking legitimate clients.

Outlawing keytag collisions implies that the signer has to keep a copy of every 
keytag they've ever emitted. Adding that requirement nearly 20 years after the 
RFCs were finished is incredibly unlikely to work universally, so validators 
could not rely on it. Why add a requirement that cannot be relied on?

--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to