I believe that such a draft is NOT worth all the implied human effort,
I'm afraid. The idea isn't new, but let me reiterate my points below.
Even if we forbid all keytag collisions, there will be many more ways
how attackers may attempt to generate lots of work for validating
resolvers. (many RRSIGs, combination with CNAME chains, etc.) I don't
think such piecemeal approaches will really help, especially if they'd
take many years to actually restrict the attacks.
I'm aware that this is close to a "slippery slope" fallacy, but all
things considered, completely eliminating keytag collisions doesn't seem
worth the effort to me. On the other hand, note that bigger collisions
are extremely unlikely (e.g. four keys, all with the same tag). You
want to minimize the DNSKEY set sizes anyway, due to space restrictions,
so you can't really have dozens at once legitimately.
Strictly enforcing collision avoidance might complicate some less
centralized use cases. So such an RFC certainly isn't close to free or
without risks.
--Vladimir | knot-resolver.cz
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
