> On 9 Jul 2025, at 02:32, Philip Homburg <[email protected]> wrote:
>
>> On 7/8/25 02:17, John Levine wrote:
>>> It appears that Shumon Huque <[email protected]> said:
>>>> Please review the draft and speak up if you have comments, and would like
>>>> to see this draft adopted (or not).
>>>
>>> I don't hate the draft but since we have been living with colliding tags fo
>> r two
>>> decades and experience shows that collisions of more than two tags never ap
>> pear
>>> unless maliciously created, this doesn't strike me as a good use of our tim
>> e.
>>>
>>> Just add "more than two colliding tags" to the long list of limits in DNS
>>> resolvers and we can work on something else.
>>
>> +1
>
> Somewhat surprisingly, I didn't find collisions a big problem when validating
> but I do want to avoid collisions in a signer.
>
> In my opinion the important thing to solve is avoiding collisions in a
> multi-signer setup (and to some extent, when pre-generating keys).
BIND has had code to prevent collisions in single signer scenarios since the
very beginning. It also has the ability to specify key tag ranges that
multi-signers can use to prevent key tag collisions between independent
key generators.
dnssec-policy <string> {
keys { ( csk | ksk | zsk ) [ key-directory | key-store <string> ]
lifetime <duration_or_unlimited> algorithm <string> [ tag-range <integer>
<integer> ] [ <integer> ]; ... };
...
}; // may occur multiple times
> I wonder what the timeline would be of deployment of this draft. This
> draft only simplifies validator code when all existing algorithms have been
> deprecated for validation. Which is likely to be a very long time in the
> future.
One could deprecate all existing algorithms the moment replacement code points
exist. Code point changes don’t take long to deploy.
> For future PQC algorithms it should be fine to just disallow collisions when
> they are specified.
>
> _______________________________________________
> DNSOP mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [email protected]
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
