Re: DNSSEC will eventually generate Identical Key ID's

2018-09-13 Thread Tony Finch
Warren Kumari wrote: > > This reminds me of some interesting (well, interesting to me :-)) related > research Ben Laurie and I did around that time -- while looking at the > distribution of generated keys I noticed that OpenSSL / GnuTLS generate a > different distribution than e.g mbedTLS.

Re: DNSSEC will eventually generate Identical Key ID's

2018-09-12 Thread Warren Kumari
On Mon, Sep 10, 2018 at 4:45 AM Ray Bellis wrote: > On 09/09/2018 18:51, Mark Elkins wrote: > > Just for the record, although I do look from a curiosity point of view > > for Identical Key ID's once every few month - I've never seen them - > > until now. > > > > Now I have them - generated by

Re: DNSSEC will eventually generate Identical Key ID's

2018-09-10 Thread Warren Kumari
On Sun, Sep 9, 2018 at 2:30 PM Anand Buddhdev wrote: > On 09/09/2018 19:51, Mark Elkins wrote: > > > Never assume a KeyID is unique. :-) > > One of the DNSSEC RFCs specifically says that the KeyID is not meant to > be unique. I can't remember which one, and it's too late on a Sunday > evening

Re: DNSSEC will eventually generate Identical Key ID's

2018-09-10 Thread Tony Finch
Mark Elkins wrote: > Never assume a KeyID is unique.  :-) Good tools ensure that key IDs are unique per zone. For example, if you keep generating keys for a zone with `dnssec-keygen` it will eventually get into an infinite loop perpetually generating colliding keys! Apart from the footgun that

Re: DNSSEC will eventually generate Identical Key ID's

2018-09-10 Thread Ray Bellis
On 09/09/2018 18:51, Mark Elkins wrote: > Just for the record, although I do look from a curiosity point of view > for Identical Key ID's once every few month - I've never seen them - > until now. > > Now I have them - generated by BIND within a few days of each other... > > I've been running

Re: DNSSEC will eventually generate Identical Key ID's

2018-09-09 Thread Anand Buddhdev
On 09/09/2018 19:51, Mark Elkins wrote: > Never assume a KeyID is unique.  :-) One of the DNSSEC RFCs specifically says that the KeyID is not meant to be unique. I can't remember which one, and it's too late on a Sunday evening to be reading RFCs :) Even then, I've had the misfortune of dealing

DNSSEC will eventually generate Identical Key ID's

2018-09-09 Thread Mark Elkins
Just for the record, although I do look from a curiosity point of view for Identical Key ID's once every few month - I've never seen them - until now. Now I have them - generated by BIND within a few days of each other... -rw-r--r-- 1 root root   431 Aug 18 00:03 Kipv6.org.za.+008+46578.key