> On 14 Feb 2024, at 14:47, Edward Lewis <edward.le...@icann.org> wrote: > > I raise the key tag issue in the sense of "let's not do this again" and not > to try to change what it is now. Clearly, changing it (to avoid collisions) > would be difficult. And, given the relative rarity of any problem stemming > from it, not worth fixing at this point. Just don't do it again.
I agree with Ed. [Shock! Horror!] The long tail of DNS implementations means retro-fixing this vulnerability will be awkward. Key tag collisions are unlikely to cause a major problem. So let’s not repeat this mistake/oversight in new protocol work and move on. That said, I think a minor tweak to the core DNSSEC specs would be a good idea. For instance, whenever a validator comes across a key tag collision, it MUST stop validating and either return a hard error or an unvalidated response. My concern here is a bad actor using key tag collisions to disrupt important validating resolver services. For some definition of important. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
