On 2/15/24 22:53, Mark Andrews wrote:
But we can state that they should be avoided when generating new DNSKEYs. BIND has been avoiding key tag collisions for 2 decades now when generating new keys. Multi-signers all have to have the current published DNSKEY RRset which includes *all* DNSKEYs as part of their publication process.
Multi-signer peers do not need to publish each other's KSKs. A DNSKEY response only needs to contain the KSK suitable for validating the response RRset itself (i.e., the responding peer's KSK), and any ZSKs/CSKs that may be needed for validation of other responses. Multi-signers thus aren't necessarily aware of keytag collisions across KSKs. When using DS provisioning automation via CDS/CDNKSEY, they'll have to exchange each other's KSKs for publishing a joint C* RRset (as in draft-thomassen-dnsop-mske). The collision could be detected then, but using C* automation is not required. Best, Peter _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
