On 2/9/24, 22:05, "Mark Andrews" <ma...@isc.org> wrote: >The primary use of the key tag is to select the correct key to validate the >signature from multiple keys.
Yes - which is great if 1) you need to pare down the potential set of keys into something you can handle (like, from 10's to 3) and 2) if you have somewhat to request only those keys. Operators generally only publish 2 keys outside of rolls, 3 when rolling the ZSK or the KSK, maybe more if they aren't optimizing. There's no need to specify a subset. I say this with complete highsight. And, in the DNSSEC protocol, there's never been a way to request the DNSKEY resource record set (to validate something) that includes 'but only those key(s) with key tag ABCDE. So, subsetting doesn't help the response size issue. My reason for raising this is...not to deprecate key tags as they exist today, it's not worth it, but to avoid designing something like them in the future. We don't need them, and they have contributed operational issues and, reportedly, one significant outage. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
