> On 10 Jul 2025, at 13:10, Steve Crocker <[email protected]> wrote: > > I'm under the impression Signers will generally not know of the existence of > other Signers before they start generating keytags. Perhaps each Signer > should generate a salt that is likely to be independent of the salt used in > other Signers. > > Steve Crocker
Signers may or may not have knowledge of other signers. Just because the existing signers weren’t developed with multiple signers in mind it doesn’t mean that they can’t be upgraded to know about multiple signers. For multi-signers to work DNSKEYs from each of the signers need to be distributed to the other signers. The mechanisms to do this are not specified in any RFC. > > On Wed, Jul 9, 2025 at 11:05 PM Mark Andrews <[email protected]> wrote: > > > > On 10 Jul 2025, at 06:01, Peter Thomassen <[email protected]> > > wrote: > > > > > > > > On 7/9/25 20:09, Jim Reid wrote: > >>> Can you clarify source of your confidence about this 'not causing issues'? > >> Mental arithmetic. There are 2^16 possible key tags => there's a one in > >> 2^15 chance a new tag clashes with an existing one. > > > > Uniformity of the keytag distribution is a wrong assumption, see > > https://ripe78.ripe.net/presentations/5-20190520-RIPE-78-DNS-wg-Keytags.pdf > > > > This deck also has some slides on impact. > > So just use a method that will work reasonable well with the generated key > tags. > > For two signers A uses 'tag < 32768' and B uses 'tag >= 32768’ as part of the > acceptance criteria > when generating a new tag. > > Resolvers already do the bulk of the work with DNSSEC. A few more key > generation attempts on the > authoritative side won’t hurt anything. > > > > Have fun, > > Peter > > > > _______________________________________________ > > DNSOP mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: [email protected] > > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > > -- > Sent by a Verified > > sender -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
