I'm under the impression Signers will generally not know of the existence of other Signers before they start generating keytags. Perhaps each Signer should generate a salt that is likely to be independent of the salt used in other Signers.
Steve Crocker On Wed, Jul 9, 2025 at 11:05 PM Mark Andrews <[email protected]> wrote: > > > > On 10 Jul 2025, at 06:01, Peter Thomassen <peter= > [email protected]> wrote: > > > > > > > > On 7/9/25 20:09, Jim Reid wrote: > >>> Can you clarify source of your confidence about this 'not causing > issues'? > >> Mental arithmetic. There are 2^16 possible key tags => there's a one in > 2^15 chance a new tag clashes with an existing one. > > > > Uniformity of the keytag distribution is a wrong assumption, see > https://ripe78.ripe.net/presentations/5-20190520-RIPE-78-DNS-wg-Keytags.pdf > > > > This deck also has some slides on impact. > > So just use a method that will work reasonable well with the generated key > tags. > > For two signers A uses 'tag < 32768' and B uses 'tag >= 32768’ as part of > the acceptance criteria > when generating a new tag. > > Resolvers already do the bulk of the work with DNSSEC. A few more key > generation attempts on the > authoritative side won’t hurt anything. > > > > Have fun, > > Peter > > > > _______________________________________________ > > DNSOP mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: [email protected] > > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- Sent by a Verified sender
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
