On Feb 16, 2024, at 12:17, Petr Špaček <pspa...@isc.org> wrote: > > > It does not handle collisions in any special way. It simply does not validate > and the resolver has no way to tell if the crypto thingy is wrong or if it > just tried a wrong key. Any such failure is counted towards fail-budget (1 > allowed).
So a key tag collision with a sha1 to sha2 rollover with dual signing on a rhel/centos box with sha1 disabled leads to servfail instead of insecure answer ? Should I file a bug for that ? Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop