On 7/6/21, 12:15 PM, "dns-operations on behalf of Tony Finch" <dns-operations-boun...@dns-oarc.net on behalf of d...@dotat.at> wrote:
> If it is one of your zones then your key management software should ensure > that all the key IDs are different, i.e. if there is an ID collision when > generating a key, throw it away and regenerate it. This is important for > verification performance (and, I would guess, less risk of encountering > bugs). FWIW, I've seen one (emphasize just one) example of concurrent, active, colliding key tags among the TLDs over the past 10 years. When it happened, it seemed to persist for a month, with the operator rolling one of the keys. This happened in 2018, I didn't notice it until last month while trolling through historical data, so I bet there was never any interruption. The protocol ought not be fooled by it, but you can never tell about the quality of a validator. I.e., such code may not realize that asking for a key tag out of a DNSKEY set might need to be a list and not a single value. This started out as a convention, key generation tools would not produce a key that key-tag-collided, but as with any other tool or environment, it might occur. Where I ran across the issue is in some analytical code I'm working on, a collision might foul up other monitoring and visualization code, but it should not be operationally impacting. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
