On 2/20/24, 16:35, "Mark Andrews" <ma...@isc.org> wrote:
>Validator resource consumption (CPU) *is* is tied to tags.
The number of tag collisions is related but is not the only cause of the
validator resource consumption vulnerability.
>Without tags the cost of verification increases and the number of cache misses
>that can be handled decreases as the number of keys per algorithm increase. A
>tag collision undoes the value of the tag for the keys that collide.
> 1 -> 1
> 2 -> 1.5
> 3 -> 2
> 4 -> 2.5
There are two basic ways to put a cap on how much effort you are willing to put
into accomplishing something. One is to cap the time taken and another is to
cap the steps taken. One can combine the two, and/or substitute resources for
steps. Capping time is capping the most generic commodity. Capping by steps
means having to decide what is the reasonable limit, perhaps having to make a
judgement call on what is a step.
Using CNAME and DNAME redirects, negative answer proofs, etc., also contribute.
Therefore, I don't see eliminating key tag collisions as the root cause to
solve. It's certainly one of the root causes, but eliminating collisions
("barring them by specification") is not going to completely solve the problem
and a validator still has to deal with the possibility of encountering
collisions, via non-compliant (old, buggy) code or receiving maliciously
intentional colliding keys.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
