Moin! On 15 Feb 2024, at 11:35, Paul Hoffman wrote: > Resolvers can already have policies that don't allow them; that has been true > for 20 years. There is nothing stopping any resolver from saying "I found a > keytag collision so I'm not going to validate". Fortunately, we're seeing > resolvers instead saying "I'll bound the amount of work I do when I see > colliding keytags".
I don’t know which resolver had key tag collision limits for 20 years, but am happy to be educated. Anyway outlawing key tag collisions was and IMHO still is on the table. It’s just that we didn’t want to break anything immediately. > Compare that to "we're going to change a 20-year-old spec, wait for years for > the changes to be implemented, and only then change the way validators work". > The current situation is much more sustainable. We have had in recent history a lot of drafts that even were implemented before they became RFC and had much larger failure ratios. I see no reason to not immediately implement and RFC that says key tag collisions are not allowed. So long -Ralf ——- Ralf Weber _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
