The kind of load is different but in each case the client needs to
limit the amount of work it's willing to do. We can forbid it in the
protocol but unless you have better contacts at the Protocol Police
than I do, people will do it anyway.
If you forbid in the protocol the tools will be fixed to prevent it
occurring when signing and the validators don’t have to be prepared
to play trial and error when there are duplicate tags in a DNSKEY
RRset. ...
That's all true, but people will publish them anyway, so the tools need to
defend against them no matter what the protocol says. Based on what I've
seen, pairs of colliding tags appear innocently, larger numbers don't, so
you set the limit in the single digits.
Is it really so much harder to write code that allows, say, three
signatures and three IDs than code that only allows one? As I hardly need
point out, the process cost of changing the protocol is high, and it will
take approximately forever for the long tail to notice.
Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
