Hi Philip, On 12/3/25 09:08, Philip Homburg wrote:
it seems to me that attack mitigations can be grouped into two categories: 1) one-sided mitigations by a resolver that require no standard action 2) mitigations where coordination with operators of authoritative servers is required.There are many actions that defend against off-path attacks that fall in the first category. It would be nice to write them down, but who is going to do the work? Asking for such an RFC seems a bit like asking for a pony.
Maybe that could be something for the OARC BCP group. (I'm not sure.)
The current thread is a clear example. As far as I can tell, in all what has been said, we have not seen a single operator of a DNSSEC signer (or implementor signer that is not a hobby signer) explain what the issues are to avoid key tag collisions, how much work it would be to change the signer, etc.
I haven't written a signer, but deal a lot with signing at deSEC. It's been said a few months back that its difficult to avoid collisions in a multi-signer setup, because you don't know ahead of time what key the other signer uses. Avoiding them is certainly possible, but requires extra coordination. It seems to me that the complexity of that is (much) larger than continuing to allow ~one collision.
Instead there is a downplaying of the problem.
Not sure what you mean. Best, Peter _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
