It appears that Philip Homburg <[email protected]> said: >>Like what? I also use the ldns scripts, and I don't see any problem if a KSK >>and >>ZSK happen to have the same tag. ...
>What about a ZSK roll. There is a one in about 30000 chance you get a key tag >collision and two ZSKs will have the same filename (if you use ldns-keygen). To channel Geoff Huston, there's no reason to do a key roll unless you're changing the algorithm. In that case the filenames will be different. But whatever. >The problem is that every validator has to deal with the potential >presence of collisions. So if you want to argue that collisions are fine, >then look at the code of some old validators, such as in bind9 and then >say that it is fine. We're not the Network Police. No matter how loudly we say MUST NOT, as we saw with Keytrap, there will be tag collisions, whether by accident or malice. Every DNS cache has to deal with it, and nothing we do will change that. The current code stops after two or three collisions, the most we could do is drop that to one a decade from now. I do not see why that it is worth any effort at all. R's, John _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
