> On 13 Feb 2024, at 00:56, Edward Lewis <edward.le...@icann.org> wrote:
>
> On 2/9/24, 22:05, "Mark Andrews" <ma...@isc.org> wrote:
>
>> The primary use of the key tag is to select the correct key to validate the
>> signature from multiple keys.
>
> Yes - which is great if 1) you need to pare down the potential set of keys
> into something you can handle (like, from 10's to 3) and 2) if you have
> somewhat to request only those keys.
>
> Operators generally only publish 2 keys outside of rolls, 3 when rolling the
> ZSK or the KSK, maybe more if they aren't optimizing. There's no need to
> specify a subset. I say this with complete highsight.
I would still argue that there is still a need even if there is only 2 keys.
Verification is expensive. It always has been.
> And, in the DNSSEC protocol, there's never been a way to request the DNSKEY
> resource record set (to validate something) that includes 'but only those
> key(s) with key tag ABCDE. So, subsetting doesn't help the response size
> issue.
>
> My reason for raising this is...not to deprecate key tags as they exist
> today, it's not worth it, but to avoid designing something like them in the
> future. We don't need them, and they have contributed operational issues
> and, reportedly, one significant outage.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
