>Perhaps we should work on the draft I suggested describing the limits that >resolvers need to have to avoid accidental or deliberate DDoS.
I'm not quite sure what you mean. For key tag collisions such a draft could have the text: Validators should reject key tag collisions in DNSKEY RRsets and duplicated key tags in signatures for an RRset. Dealing with key tag collisions increases complexity in validator code and provides a larger DoS attack surface. Key tag collisions are extremely rare in today's internet, so the benefit of supporting them is very low. All in all, the cost of supporting key tag collisions is much higher than the limited benefit we get from it. But how does that help this discussion? _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
