John you keep stating that everything is working ok. We only have a small percentage of all responses signed, multiple signers are already enforcing the desired behaviour. There is also no requirement that every key signs every RRset so there isn’t always another RRSIG to try to compare against. There also isn’t a lot headroom in the system as the percentage of zones being signed increases and with that more verifies per resolution.
Having trial and error in the protocol is a design error IMHO. We are trying to fix that error. Yes there is an installed base but that is not a reason to not fix the error. -- Mark Andrews > On 14 Jul 2025, at 01:17, John R Levine <[email protected]> wrote: > > On Sun, 13 Jul 2025, Warren Kumari wrote: >> Is there any actual downside to saying something like "if the new key has a >> colliding keytag, just throw it away and try again"? And if you have >> multiple signers, partitioning the space both allows this, and provides a >> quick signal to a zone owner who is doing debugging at 3AM *which* signer >> generated the key... > > As optional operational advice, sure, why not. > >> Without all of the MUSTs, and instructions to the validators, avoiding >> collisions, when easy, seems like a win to me. > > Right, it's the MUST stuff that makes no sense. We are still not the Network > Police and no matter what we say, there will always be some collisions > whether by accident or malice, and resolvers will always need to deal with > them. The current approach, stop after a small number like 2, seems > reasonable. > > Regards, > John Levine, [email protected], Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail. https://jl.ly > > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
