A key tag collision could trigger a cache flush. Op do 15 feb 2024 om 15:53 schreef Bob Harold <rharo...@umich.edu>
> I don't think we can completely avoid tag collisions in a multi-signer > situation. They could detect and correct a collision, but due to the long > TTL's in many TLD's, that could take 24 hours. So I think resolvers should > allow for at least a few collisions and not fail on the first one. > > > -- > Bob Harold > > > On Thu, Feb 15, 2024 at 3:39 PM Ralf Weber <d...@fl1ger.de> wrote: > >> Moin! >> >> On 15 Feb 2024, at 11:35, Paul Hoffman wrote: >> > Resolvers can already have policies that don't allow them; that has >> been true for 20 years. There is nothing stopping any resolver from saying >> "I found a keytag collision so I'm not going to validate". Fortunately, >> we're seeing resolvers instead saying "I'll bound the amount of work I do >> when I see colliding keytags". >> >> I don’t know which resolver had key tag collision limits for 20 years, >> but am happy to be educated. Anyway outlawing key tag collisions was and >> IMHO still is on the table. It’s just that we didn’t want to break anything >> immediately. >> >> >> > Compare that to "we're going to change a 20-year-old spec, wait for >> years for the changes to be implemented, and only then change the way >> validators work". The current situation is much more sustainable. >> >> We have had in recent history a lot of drafts that even were implemented >> before they became RFC and had much larger failure ratios. I see no reason >> to not immediately implement and RFC that says key tag collisions are not >> allowed. >> >> So long >> -Ralf >> ——- >> Ralf Weber >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop >> > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
