As the inventor of DNSSEC key tags, I am constantly amazed by the hundreds of email messages and incredible amount of foofaraw on this list about them. They were always intended to just be a simple heuristic to probabilistically reduce effort in most cases of multiple keys. Of course the standards need to say that the key tag must be correctly set but there I'm not sure there is any need to require anyone to even look at the key tag.
Maybe the documents should have said something about resolvers having to limit the amount of effort they put into resolving any query. But at the time, when processors were slower and public key operations were thus more expensive, it just seemed obvious that this is always the case whether trying multiple keys or following CNAME chains or whatever. I'm fine with a document giving guidelines for DNS limits. Based on the discussions, specifying that a resolver give up after trying 2 or maybe 3 keys with the same tag seems to solve the problem. Thanks, Donald =============================== Donald E. Eastlake 3rd 2386 Panoramic Circle, Apopka, FL 32703 USA [email protected] _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
