Moin! On 15 Feb 2024, at 6:02, Paul Wouters wrote: > You seem willing to (statistically) throw 1/65536 zones under the bus. That > would roughly be 2500 .com domains if all of .com was signed (without key > sharing) > > I don’t see why we should do this.
So to put some real numbers out there. I recently for testing did download all the zone data I could get from ICANN CZDS and tried to get DNSKEYs for every domain. So that data set had 256479639 domains (256 million) and out of those 18726163 (18 million or 7.3 percent) actually had DNSKEYs. Out of those 153 had key collisions which is 0.0008 percent or roughly half of what you expected. > As for limits, I would say 3 or 4, to account for rare KSK+ZSK keyrollover at > the same time with clashing key tags. I think 2 is fine as signers also can be updated to generate new keys when they have collisions, but I can see in a multi (dual) signer setup that standby keys could collide when they made public, but if we are able to threat the multi signer paths different with DELEG maybe don’t need to care about key collisions at all, but that is a bit off topic. So long -Ralf ——- Ralf Weber _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
