Remember that the keytags are just a hint to limit the number of keys
you need to check for each signature. If I have a zone with 300
signatures per key, it's still going to take a while to check them all
even with no duplicate tags. It won't be as bad as the quadratic
keytrap but it'll still be annoying.
If key tags are unique, then a validator can just discard anything that
has multiple signatures with the same key tag.
No, that's not how it works. The signatures might have different time
ranges or otherwise be different but still plausibly valid. Please review
RFCs 4034 and 4035.
R's,
John
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
