> Hmmm, key tags were intended to simplify computation, somehow it > seems that they've gone the other way.
It seems that key tags set a trap for signers. A signer needs a way to identify keys to do key management. This mechanism needs to be robust such that the signer cannot get confused about which key is which. Where it went wrong is that signers started using the key tag to identify keys. And somehow this practice continued even though we know that the chance of collision is high. The obvious thing to do is to publish a document on how signers should identify keys. And then try to fix all signers to not use key tags anymore. If we look at validators, the design of DNSSEC does not include systematic analysis of denial of service potential and design to avoid that. This is mostly absent, often wrong basically left to the implementor. So it should not come as a surpise that key tags (as currently specified) do not really help to avoid denial of service attacks. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
