On Wed, 28 Feb 2024, Shumon Huque wrote:
Banning keytag collisions outright today would not be a good idea - we risk rendering some sights unresolvable through no fault of their own. DNSSEC already has plenty of detractors, and we don't want to give them more ammunition by creating problems in the ecosystem that can be easily avoided. I think writing a BCP telling folks how to avoid collisions would make sense though (and yes, it needs to cover the multi-signer case too).
The multisigner case is a database update problem which is surprisingly hard to get right. Either you need locked updates which are slow and subject to hanging, or you need to detect collisions and retry, which has its own problems (BTDT).
If we can live with small numbers of collisions, the whole problem is a lot more tractable.
Too bad there's no room for grease in DNSKEYs. If you were allowed to add a byte or two of noise, you could constrain the range of the key IDs you generated, which would let you partition the ID space among multiple signers. That would be (other than the grease kludge) an elegant way out.
R's, John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
