> One sources of these issues is partially bogus RRSIG RRsets which, > eventually, cause validator to exceed limit of allowed validation > attempts. > > Key tag collisions create RRSIG which looks like bogus when > validating, and AFAIK there's no way to disambiguate this.
To have a key tag collision you either need multiple keys in a DNSKEY RRset that have the same key tag or multiple RRSIGs on a RRset that have the same key tag. Assuming that the validator iterates over the RRSIGs and tries to find a matching DNSKEY, then it is a due to a key tag collision if, after a failure, the validator has to try another key with the same key tag. This is easy to distinguish from the case where after a failure there are no other keys to try. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
