On 09. 07. 25 17:44, Jim Reid wrote:
On 9 Jul 2025, at 15:43, John R Levine <[email protected]> wrote:
I still don't see the point.
<AOL Mode>Me too!</AOL Mode>
Wearing no hats and speaking only for myself:
Key tag collisions don't appear to be causing a significant problem. I
question if it's worth the WG's time kludging a solution for something
that has such a (at best) marginal impact. It would be a different story
if there was an angry mob with pitchforks and blazing torches demanding
the WG fix this problem for them. But there isn't.
Can you clarify source of your confidence about this 'not causing issues'?
I do have personal experience with supporting BIND DNSSEC validator and
since post-Keytrap we saw increase in 'this does not validate but looks
legit' complaints.
One sources of these issues is partially bogus RRSIG RRsets which,
eventually, cause validator to exceed limit of allowed validation attempts.
Key tag collisions create RRSIG which looks like bogus when validating,
and AFAIK there's no way to disambiguate this. So collisions do decrease
reliability of the whole system in the end. Unless we want to go back to
pre-Keytrap world.
--
Petr Špaček
Internet Systems Consortium
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
