On Feb 14, 2024, at 01:39, Petr Špaček <pspa...@isc.org> wrote: > In my mind this is good enough reason to outlaw keytag collisions - without > them it would be _much_ easier to implement reasonable limits without risk of > breaking legitimate clients.
Outlawing keytag collisions implies that the signer has to keep a copy of every keytag they've ever emitted. Adding that requirement nearly 20 years after the RFCs were finished is incredibly unlikely to work universally, so validators could not rely on it. Why add a requirement that cannot be relied on? --Paul Hoffman _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop