I strongly disagree.
My concerns are NOT about 107 marginal zones.
But about large and important zones (major TLDs) which currently operate
software/configurations that don't prevent keytag collisions, and it is
only a matter of random chance(!) if keytag collision appears during any
next key roll-over.
Remember, Flag Days were always about things that were required by RFCs
for years/decades earlier and the failing parties failed to comply. This
situation is different as it is still the case that any RFC doesn't even
suggest that keytag collision should be any kind of problem.
Therefore, again, I vote for creating/adopting a document that would
clearly describe the situation and requirements for both the
authoritative (signing) and recursive (validating) sides. It might even
work as a "BCP" for the operators stating that (and how!) they can
prevent (and be sure about it!) keytag collisions.
Libor
On 09. 07. 25 14:02, Petr Špaček wrote:
On 09. 07. 25 4:11, John Levine wrote:
It appears that Petr � pa� ek <[email protected]> said:
For colliding keytags, that's just nonsense. There's no incentive to
support these and BIND will currently refuse anything with more than
one
collision.
I'm all for declaring
acceptable number of collisions = 0
I surveyed all the signed subdomains in gTLDs with more than a
million names last year,
and found 107 domains with two colliding keytags, none with three
keytags.
If you forbid all collisions, you will break a small but non-zero
number of zones that
work correctly today. If you allow one collision, you will as far as
I can tell break nothing.
Here's the slides.
https://docs.google.com/presentation/d/1snTpkDcRmJN8bbGx9XrOt5taUdS1xSElMB1Ok8s7Kko
I take that as an argument to forbid it!
107 sounds like perfectly tractable number to fix. The two flag days
had waaaay wider reach, for example, and way more domains got fixed.
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
