It appears that Philip Homburg <[email protected]> said: >The discussion in this thread is the first step in a pattern. Operational >feedback comes in and is dismissed. Some people don't like it, so there is no >consensus and nothing will change.
I don't see how that follows. If we do nothing, resolvers will have to check for keytag collisions, and stop after 2 or 3 collisions. If we make this change, resolvers will still have to check for collisions, and perhaps at some time in the future they can stop after 1 collision. This strikes me as a great deal of effort for a trivial code change in resolvers, potentially requiring a lot of work by people whose DNS setups are more complex than one host with a script that generates the keys. On the other hand, I think it would be a fine idea to better document all of the ways that resolvers need to have limits to avoid accidental or deliberate DoS. R's, John _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
