On Feb 15, 2024, at 10:03, Ralf Weber <d...@fl1ger.de> wrote: > > Moin! > > On 15 Feb 2024, at 9:53, Paul Hoffman wrote: >>> A fairly simple way to deal with this issue is a Flag Day. As Ralf said in >>> a later post, the number of zones with colliding key tags is relatively >>> small. >> >> Anything above zero is significant. > > If you are waiting for zero you might wait forever.
Yes, exactly. >>> It would certainly be reasonable to declare that at some time in the >>> future, colliding keys will not be handled by validators. >> >> Why? Many people on this thread have said they have or will implement caps >> on how many collisions for a key set they will allow. An operational change >> such as that is vastly easier to implement than a flag day, and gets better >> results. > > There is a difference between what a lot of people on this thread did to keep > the Internet alive and what is a good solution going forward. I think long > term Brian and Petr are right that key collisions should not be allowed. Resolvers can already have policies that don't allow them; that has been true for 20 years. There is nothing stopping any resolver from saying "I found a keytag collision so I'm not going to validate". Fortunately, we're seeing resolvers instead saying "I'll bound the amount of work I do when I see colliding keytags". Compare that to "we're going to change a 20-year-old spec, wait for years for the changes to be implemented, and only then change the way validators work". The current situation is much more sustainable. --Paul Hoffman _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
