> On 9 Jul 2025, at 18:24, Petr Špaček <[email protected]> wrote: > > Can you clarify source of your confidence about this 'not causing issues'?
Mental arithmetic. There are 2^16 possible key tags => there's a one in 2^15 chance a new tag clashes with an existing one. If a DNSSEC key changes every day, it'll take 2^15 days (~100 years) on average before there's a collision. That's good enough for my definition of "not causing issues". YMMV. I accept there's a theoretical possibility of a key tag clash causing issues Petr. IMO that possibility is just too low to bother about. If this has caused actual operational problems, surely this WG would have heard about them by now. AFAICT it hasn't. You said partially bogus RRSIG RRsets can cause a validator to exceed its limit of allowed validation attempts. Fine. So please suggest how to fix that problem. It's not clear to me how key tag collisions has any bearing on how to deal with bogus RRSIGs.
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
