> On 9. 7. 2025, at 16:43, John R Levine <[email protected]> wrote: > > On Wed, 9 Jul 2025, Petr Špaček wrote: >>> https://docs.google.com/presentation/d/1snTpkDcRmJN8bbGx9XrOt5taUdS1xSElMB1Ok8s7Kko >> >> I take that as an argument to forbid it! >> >> 107 sounds like perfectly tractable number to fix. The two flag days had >> waaaay wider reach, for example, and way more domains got fixed. > > I still don't see the point. > > That was a snapshot from a year ago. If I did it again, the list would be > different. We wouldn't have just to fix the collisions in those 107 domains,
> we'd have to upgrade *everyone's* software to prevent them in the future. Yes, great. That's an excellent operational advice to not run old crap. > Getting rid of all of the potential collisions would be a great deal of work. I disagree. It is not a great deal of work. It is a part of normal operational practice. Bugs in software gets fixed, operators upgrade the software. > For some people it might just be a new version of bind, but we don't all run > bind, and as the draft noted, if there are multiple signers or HSMs the > changes are not trivial. > > And for what? Since the keytrap stuff last year caches already limit > collisions to 2 or 3, realistically it's never more than 1, and the long tail > means caches will be making this check forever. What's the benefit, > other than perhaps aesthetic, of dropping the nominal limit from 2 to 0? -- Ondřej Surý (He/Him) [email protected]
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
