On Feb 16, 2024, at 12:17, Petr Špaček <pspa...@isc.org> wrote:
> 
> 
> It does not handle collisions in any special way. It simply does not validate 
> and the resolver has no way to tell if the crypto thingy is wrong or if it 
> just tried a wrong key. Any such failure is counted towards fail-budget (1 
> allowed).

So a key tag collision with a sha1 to sha2 rollover with dual signing on a 
rhel/centos box with sha1 disabled leads to servfail instead of insecure answer 
? Should I file a bug for that ?

Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to