> On Feb 15, 2024, at 6:02 AM, Paul Wouters <p...@nohats.ca> wrote: > > On Feb 15, 2024, at 04:37, Petr Špaček <pspa...@isc.org> wrote: >> >> If you think colliding keys should be allowed, please propose your own >> limits for sensible behavior. > > I do think they need to be allowed because they have always been allowed so > far. Reasons for not allowing them seems to be implementation details. Sure, > if the RFCs had warned implementers this wouldn’t have happened, and we can > learn from that (and I gained appreciation and validation for whining about > security and operational consideration sections) > > You seem willing to (statistically) throw 1/65536 zones under the bus. That > would roughly be 2500 .com domains if all of .com was signed (without key > sharing) > > I don’t see why we should do this.
A fairly simple way to deal with this issue is a Flag Day. As Ralf said in a later post, the number of zones with colliding key tags is relatively small. It would certainly be reasonable to declare that at some time in the future, colliding keys will not be handled by validators. Brian
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
