On Feb 14, 2024, at 07:10, Jim Reid <j...@rfc1035.com> wrote: > That said, I think a minor tweak to the core DNSSEC specs would be a good > idea. For instance, whenever a validator comes across a key tag collision, it > MUST stop validating and either return a hard error or an unvalidated > response. > > My concern here is a bad actor using key tag collisions to disrupt important > validating resolver services. For some definition of important.
That is not a "minor tweak", that will occasionally break validation in hard-to-detect ways. The problem is not the collisions, it is the collisions causing almost unbounded processing. A better update would be to say "watch for excessive processing due to keytag collisions and abort when you detect it". --Paul Hoffman _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
