On 2/15/24, 12:49, "Wellington, Brian" <bwell...@akamai.com> wrote: >A fairly simple way to deal with this issue is a Flag Day. As Ralf said in a >later post, the number of zones with colliding key tags is relatively small. >It would certainly be reasonable to declare that at some time in the future, >colliding keys will not be handled by validators.
Thinking: 1) Operators need to be able to tell if they have colliding key tags. (Mitigating is as simple [or complex] as a key roll.) 2) The recent colliding-key-tag TLD outage was related to key management, not validation. 3) Resource consumption issues in validation is wider than key tag collision. I'd save a flag day for a more general treatment of validator resource consumption - imposing limits on key tags, number of signatures to try, levels of dnssec-signed indirection (CNAME chains), and so on. Getting validators to "ban" collisions doesn't seem the to be the right direction, given that validators are fine with "sane" levels of collisions. Realizing "sane" is a very subjective word. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop