On 09. 07. 25 15:11, Libor Peltan wrote:
I strongly disagree.
My concerns are NOT about 107 marginal zones.
But about large and important zones (major TLDs) which currently operate
software/configurations that don't prevent keytag collisions, and it is
only a matter of random chance(!) if keytag collision appears during any
next key roll-over.
Remember, Flag Days were always about things that were required by RFCs
for years/decades earlier and the failing parties failed to comply. This
situation is different as it is still the case that any RFC doesn't even
suggest that keytag collision should be any kind of problem.
Therefore, again, I vote for creating/adopting a document that would
clearly describe the situation and requirements for both the
authoritative (signing) and recursive (validating) sides. It might even
work as a "BCP" for the operators stating that (and how!) they can
prevent (and be sure about it!) keytag collisions.
We are in violent agreement Libor!
I was trying to say that I don't consider 107 zones as a sufficient
argument _against_ outlawing keytag collisions. And yes, I think a short
RFC is in order to document this.
--
Petr Špaček
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
