It appears that Paul Hoffman <paul.hoff...@icann.org> said: >The problems are listed as: > >Colliding key tags impose additional work on a validating resolver, which then >has to check >signatures for each of the candidate set of keys identified by the Key Tag. >Furthermore, they >open up resolvers to computational denial of service attacks by adversaries >deploying specially >crafted zones with many intentionally colliding key tags [KEYTRAP].
I don't see why this is a problem that needs to be solved. I did a survey of the names in all the large gTLD zones and I never found more than a single collision per delegated zone. Resolvers can stop after, say, three collisions with a negligible chance of losing real DNS data. (Zones built with deliberate collisions don't count.) This is just one more implementation limit that started with the CNAME limit suggested in 1035. I suppose we can suggest that people adjust their key generation systems to check the old and new keys, and regnerate the new key if there's a collision, but that is a minor and not very important tweak. R's, John _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
