>Remember that the keytags are just a hint to limit the number of keys >you need to check for each signature. If I have a zone with 300 >signatures per key, it's still going to take a while to check them all >even with no duplicate tags. It won't be as bad as the quadratic >keytrap but it'll still be annoying.
If key tags are unique, then a validator can just discard anything that has multiple signatures with the same key tag. So to reach the 300 signatures on a single RR set, you would need to have 300 keys in the DNSKEY RR set. In that case, we can assume that the validator will just discard the DNSKEYs. So the validation effort would be zero. Not a very good attack. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
