On Wed, Feb 14, 2024 at 7:46 AM Edward Lewis <edward.le...@icann.org> wrote:
> On 2/14/24, 04:40, "DNSOP on behalf of Petr Špaček" < > dnsop-boun...@ietf.org on behalf of pspa...@isc.org> wrote: > > > In my mind this is good enough reason to outlaw keytag collisions - > > without them it would be _much_ easier to implement reasonable limits > > without risk of breaking legitimate clients. > > That would make key tags meaningful. ;--) > > The question is how, in a multi-signer friendly way. > Yes, enforcing non-colliding keytags in a multi-signer configuration is more challenging, since coordination across multiple independent parties may be needed. But a process could be developed to deal with that. But I'm not sure how worried I am about it, as a practical matter. Even if by some remarkable coincidence all keys collided in a 2 party KSK+ZSK multi-signer configuration, Unbound with its 4-keytag limit would still be able to deal with it.( I guess some additional room for pre-published rollover keys may be needed if they also collided). What colliding keytag limits are other resolver implementers placing? Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
