In your letter dated 1 Dec 2025 12:09:19 -0500 you wrote: >I don't see how that follows. If we do nothing, resolvers will have to check >for >keytag collisions, and stop after 2 or 3 collisions. If we make this change, >resolvers >will still have to check for collisions, and perhaps at some time in the futur >e they >can stop after 1 collision.
If we make a change now (in requirements for signing) then in some number of years validators can reject DNSKEY RRsets that have key tag collisions or at least strongly limit the number of such sets that are accepted. Validators can also reject RRSIG sets that have multiple RRSIGs with the same key tag or even just give up after a signle RRSIG fails to validate. The main thing is, validators will move in that direction anyhow, whether or not we publish an RFC. It will just be implicit knowledge that you need to know when writing a DNSSEC signer. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
