On Wed, 16 Jul 2025, Philip Homburg wrote:
The problem is that recursors just set random limits that seem to work most
of the time. On the authoritative side, these limits are largely unknown,
let alone the effect on validation of errors in multiple zones.
Recently as a result of reports of potential DoS attacks, resolvers have
reduced limits to the point where at cold start queries often exceed those
limits.
I believe you, but I don't understand why someone would pick this
particular limit as a hill to die on. Why not CNAMEs? Or the number of
chained NS? Or the number of RRSIGs? Or any of a dozen others?
Discussions about limits fail. And it is not even clear why they fail.
For example, who would be the affected parties of a BCP that has a
statement that DNSSEC signers MUST NOT generate key tag collisions?
For a start, those of us who don't understand what that would mean. Is it
just advice to zone operators about how to sign? Does it tell recursors
to fail as soon as they see a duplicate key tag, even though we know that
there's a small but nonzero number of innocent collisions?
Regards,
John Levine, [email protected], Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
