It appears that Peter Thomassen <pe...@desec.io> said: > > >On 2/16/24 17:19, Jim Reid wrote: >It rather seems like inviting instability, then telling the signer "well, you >knew...! Or should have, at least." > >I don't see in what way that's better than what we have with the current >fixes, which successfully address the problem and (AFAICS) don't need to be >touched again.
While I should have been doing something else, I scanned all of the gTLD zone files with more than a million names looking for keytag collsions. I also looked at .SE and .NU because the zone files are available and .NU has a lot of signed delegations. The total number of domains was about 200 million although most of them are not signed. The total number of domains where I found duplicate tags was 105. Of those, all but 20 were KSK and ZSK with the same tag which should be harmless. The total number where there were more than two tags with the same ID was ZERO. So while I understand why BIND and Unbound did the stuff they did, in practice if you return SERVFAIL when you see three keys with the same ID, you will be fine and nobody will notice. Counting RRSIGs is harder but given the low number of keys, I expect a similarly low limit on signatures would be equally effective. This really is a tempest in a teapot. R's, John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
