>The full key is not there. There is only a key tag. Are you proposing a wire f >ormat change to DNSSEC that puts the full key there? That would be hard and sl >ow to deploy and use up value bytes of the limited +/- 1400 bytes. > >> Wouldn't that limit the risk of collision? > >At a price, yes.
Technically only a SHA-2 hash of the key would need to be there. If somebody can create a SHA-2 hash collision then the world has bigger problems than a DoS on DNSSEC validation. However, changing RRSIG is probably not practical unless there are other reason to change it. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
