On Feb 15, 2024, at 04:37, Petr Špaček <pspa...@isc.org> wrote: > > If you think colliding keys should be allowed, please propose your own limits > for sensible behavior.
I do think they need to be allowed because they have always been allowed so far. Reasons for not allowing them seems to be implementation details. Sure, if the RFCs had warned implementers this wouldn’t have happened, and we can learn from that (and I gained appreciation and validation for whining about security and operational consideration sections) You seem willing to (statistically) throw 1/65536 zones under the bus. That would roughly be 2500 .com domains if all of .com was signed (without key sharing) I don’t see why we should do this. As for limits, I would say 3 or 4, to account for rare KSK+ZSK keyrollover at the same time with clashing key tags. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
