It appears that Libor Peltan <[email protected]> said: >The protocol is broken right now. The authoritative operators/vendors >are not instructed (or even warned) to do anything with keytag >conflicts, and some major resolver vendors unilaterally invented and >implemented a feature that makes the resolution randomly fail. The issue >is sneaky because it happens with very low probablility (something like >1/64k^2 * #ofZonesVulnerableToKeytagConflict), it might not yet have >even happened at all, but it might break things terribly.
I have trouble working up much enthusiasm for spending time on a problem that happens with such low probability that as far as we know it has never happened, and may well not happen between now and the time that the DNS is replaced by something else. Also, it is my impression that existing resolvers can all handle single collisions, so keeping in mind that there's about 14 bits of randomness in real keytags, it's more like (1/16k^3 * #nzones). If anyone has ever come across a keytag collision with more than two valid keys, I would really like to hear about it. Zones you deliberately created by generating millions of keys until they collide probably don't count. R's, John _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
