On Feb 28, 2024, at 03:52, libor.peltan <libor.peltan=40nic...@dmarc.ietf.org> wrote: > > Hi John, > Dne 27. 02. 24 v 21:24 John Levine napsal(a): >> The total number of domains where I found duplicate tags was 105. >> >> > As I said earlier, is while I appreciate such research, I warn against > misinterpreting it. The main point isn't about the zones that are currently > experiencing a keytag-conflict; it's about the zones where there is a > potential threat that they might do tomorrow (considering the case when many > mainstream validating resolvers would start enforcing strong > keytag-conflict-intolerance).
You quoted the less-important part of his message. The most important part was: > The total number where there were more than two tags with the same ID was > ZERO. An operational suggestion to validators of "stop if there are more than three keytags with the same value because that seems suspicious" would solve the problem for the validators much more quickly than "wait for some years after the prohibition on issuers goes through the IETF and is then implemented". It also means we don't have to update a 20-year-old spec. --Paul Hoffman _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
