It appears that Philip Homburg <pch-dnso...@u-1.phicoh.com> said: >What I mean is that if we take all of the standards track DNSSEC RFCs and we >add a new RFC that says something to the effect: >1) A signer MUST NOT sign a DS or DNSKEY RRset if the set has duplicate key > tags. >2) An authoritative DNS server MUST not serve a set of RRSIG records that > corresponds to a single RRset where the collection of RRSIG records has a > duplicate key tag. > >then as far as I can tell, there is no conflict with currently published >standards track DNSSEC RFCs.
Not at all. This would be an incompatible change that breaks existing working DNS configurations, for at most a trivial simplification in load limiting code many years from now, even assuming people were to implement it. No. Just plain no. R's, John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
