On Jul 27, 2024, at 20:00, John Levine <jo...@iecc.com> wrote: > > I am a bad person. My zone uses the new algorithm and I put in two keys with > the same tag. Now what? Other than perhaps stopping at two keys rather than > three, what is the difference in what resolvers do?
Answering just to further exploration of this - a resolver could elect to declare a service failure if it sees two keys in a DNSKEY resource record set suffering a collision. (Caveats - same DNS security algorithm as well.) Resolvers already are allowed to behave according to local policy and refuse to “work too hard” to validate data. An idea I think is often overlooked is that the beneficiary of DNSSEC are resolvers (specifically caches), DNSSEC is supplying them cryptographic data to decide whether a data set has made it form the source to them unscathed. Often we (collectively) talk about DNSSEC being an extension of a zone administrator’s policy, but it isn’t, despite the zone setting all the parameters. As part of my answering to "further exploration", I’m skeptical that it is possible eliminate key tag collisions from the protocol. Not that collisions are in anyway desirable or are worthy of being tolerated, my skepticism is whether or not elimination is possible. Which is why I was thinking of where it would be enforced - in a benign setting at the primary, which of course doesn’t mean it would catch malignant/malicious use cases. For the latter, the resolver is where duplicates would be, well, “forbidden” from causing wasted cycles. _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
