>Like what? I also use the ldns scripts, and I don't see any problem if a KSK a >nd >ZSK happen to have the same tag. I do put the KSKs and ZSKs in different >directories, so there isn't a filename collision problem, but that adds perhap >s >one line to the signing script.
What about a ZSK roll. There is a one in about 30000 chance you get a key tag collision and two ZSKs will have the same filename (if you use ldns-keygen). But that is not the point. Whether a particular signer can deal with key tag collisions is a local problem. If it can't, the users of that signer suffer. I think .ru had a bit of problem some time ago. But by and large not our problem. The problem is that every validator has to deal with the potential presence of collisions. So if you want to argue that collisions are fine, then look at the code of some old validators, such as in bind9 and then say that it is fine. We know that key tag collisions are not fine at all for validators. In the best case it is just needless extra complexity. In the worst case, it may lead to limits that are either too high and lead to DoS attacks or too low and lead to validation errors in rare cases. It seems that there are few people with old signers that just don't want to move and in effect make all validators suffer. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
