Moin! On 14 Feb 2024, at 7:17, Paul Hoffman wrote: >> My concern here is a bad actor using key tag collisions to disrupt important >> validating resolver services. For some definition of important. > > That is not a "minor tweak", that will occasionally break validation in > hard-to-detect ways. The problem is not the collisions, it is the collisions > causing almost unbounded processing. A better update would be to say "watch > for excessive processing due to keytag collisions and abort when you detect > it".
And that is exactly what people have implemented for the KeyTrap vulnerability. So starting yesterday you might see breakage if you have more then a couple of key collisions (from my understanding of reading it is between 1 and 3 for most common software meaning you can have 2 to 4 keys with the same key tag). That is the correct thing to do and I think we need to change the standards to reflect that. Even in the multi signer setup each signer should be able to not have key collisions and theoretically also look at the other signers keys when generating new ones, so a collision could really only occur when both providers introduce a key at roughly the same time. So even only allowing one collision should work. So long -Ralf ——- Ralf Weber _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
