>Except that the attacker can trivially introduce collisions (KeyTrap, as you m >entioned), so I'm not sure how far this argument gets us. > >The defense is to limit the number of public key operations. I believe Donald' >s point is that this bounding of work could happen whether you look at keytag >or not. > >That said, I think it's up to validators whether to look at keytags, and I'm n >ot sure what the goal of this discussion is. Keytags are what they are and we >can't go back.
Because key tag collisions are extremely rare, I got to the following reasoning: Key tag collisions are rare so my validator will accept a single key tag collision and will treat more than one collision as an attack and return DNSSEC bogus. So yes, an attacker can introduce collisions, but the effect will be limited. >From a statistical point of view, if we look at DNSKEY RRsets with at least two keys then one in 30,000 should have a collision (assuming keys are generated randomly). In practice the observed number of collisions is a lot lower. So my conclusion is that most zones are signed by a signer that actively avoids collisions. Given that avoiding collisions is common practice and that it is a desirable feature, we can say that avoiding collisions is best common practice. So why not document that. Why not figure out what is holding back the remaining signers that do generate collisions? There seems to be a vocal group with signers that generates collisions that don't want to discuss technical aspects of their signers. But do want to block any BCP that says that not generating collisions is common practice and that all signers need to avoid generating collisions. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
