In your letter dated Sat, 2 Mar 2024 16:55:59 -0400 you wrote: >The core DNSSEC protocol includes multi-signer. RFC 8901 just spells out expli >citly how it is covered by the protocol; that's why its status is Informationa >l. > >> The first step to conclude is that for the core DNSSEC protocol, requiring >> unique key tags is doable. > >No. There is no core and non-core part of the spec. Support for multiple keys, > including keytag collisions, simply is part of that protocol.
What I mean is that if we take all of the standards track DNSSEC RFCs and we add a new RFC that says something to the effect: 1) A signer MUST NOT sign a DS or DNSKEY RRset if the set has duplicate key tags. 2) An authoritative DNS server MUST not serve a set of RRSIG records that corresponds to a single RRset where the collection of RRSIG records has a duplicate key tag. then as far as I can tell, there is no conflict with currently published standards track DNSSEC RFCs. In addition for most signers and authoritative servers it will be easy to meet those requirements and many signers are already in line with those requirements. The only thing that prevents us from publishing such an update is an informational RFC about multi-signers (or other practices that are not documented or standardized within the IETF). _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
