> On 10 Jul 2025, at 06:01, Peter Thomassen <[email protected]> > wrote: > > > > On 7/9/25 20:09, Jim Reid wrote: >>> Can you clarify source of your confidence about this 'not causing issues'? >> Mental arithmetic. There are 2^16 possible key tags => there's a one in 2^15 >> chance a new tag clashes with an existing one. > > Uniformity of the keytag distribution is a wrong assumption, see > https://ripe78.ripe.net/presentations/5-20190520-RIPE-78-DNS-wg-Keytags.pdf > > This deck also has some slides on impact.
So just use a method that will work reasonable well with the generated key tags. For two signers A uses 'tag < 32768' and B uses 'tag >= 32768’ as part of the acceptance criteria when generating a new tag. Resolvers already do the bulk of the work with DNSSEC. A few more key generation attempts on the authoritative side won’t hurt anything. > Have fun, > Peter > > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
