On 2/14/24, 04:40, "DNSOP on behalf of Petr Špaček" <dnsop-boun...@ietf.org on behalf of pspa...@isc.org> wrote:
> In my mind this is good enough reason to outlaw keytag collisions - > without them it would be _much_ easier to implement reasonable limits > without risk of breaking legitimate clients. That would make key tags meaningful. ;--) The question is how, in a multi-signer friendly way. Enforcement would have to be at zone load time, it might be only then that the entire DNSKEY resource record set is completely assembled. Key generation time would be better, but if that happens off-line or is otherwise isolated, the check may not have the needed data to be made, especially of multiple tools are used to generate keys (whether multi-signer or a transition of platform). Refusing to load a zone would be a very-late-in-the-game way to enforce this, it might be after a zone is entirely signed with the problem key, or after keys are generated at different locations and exchanged. Maybe at data set signing time? But it is possible to sign data at two locations and merge the RRSIG resource record sets after the fact, so the signer might not realize it is contributing to a key tag collision. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
