[DNSOP] Re: Collision Free Key Tags for DNSSEC draft

Paul Wouters <paul@nohats.ca> Wed, 01 October 2025 18:10 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id AE37F6BFA03F for <dnsop@mail2.ietf.org>; Wed, 1 Oct 2025 11:10:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.399
X-Spam-Level:
X-Spam-Status: No, score=-4.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7GGYs1TexqUz for <dnsop@mail2.ietf.org>; Wed, 1 Oct 2025 11:10:13 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id F1CD16BFA037 for <dnsop@ietf.org>; Wed, 1 Oct 2025 11:10:12 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4ccNHw4qpfz9nm; Wed, 1 Oct 2025 20:10:04 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1759342204; bh=rimVes1IQXMK702UxEU1ShMbf/pnUuUp01u2822OBq4=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=uhhNdktK6sDC+lzsY9qzUVxP42Iy9he36s4oyGHxPDiG3ogAN+aSlbUpcZTM36L9J l3Zu8yPcXglLY7mJ3Ti+gAhwmtY7anIFqIWq6z9ZcZYU4MeSDPRpTlKHuSXj/BN+1O chtUtSWKpo+C2TP/JwawTMPN11fPr3imVgM3t60A=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id FdXoXE74pk16; Wed, 1 Oct 2025 20:10:03 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 1 Oct 2025 20:10:03 +0200 (CEST)
Received: from smtpclient.apple (unknown [72.136.119.159]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id DDE8317168E2; Wed, 01 Oct 2025 14:10:01 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Paul Wouters <paul@nohats.ca>
Mime-Version: 1.0 (1.0)
Date: Wed, 01 Oct 2025 14:09:48 -0400
Message-Id: <D3A20344-C1C0-4B19-A210-340662421966@nohats.ca>
References: <D48EDF62-3F16-4B4B-B73D-5F345527ACA4@sury.org>
In-Reply-To: <D48EDF62-3F16-4B4B-B73D-5F345527ACA4@sury.org>
To: Ondřej Surý <ondrej@sury.org>
X-Mailer: iPhone Mail (22G100)
Message-ID-Hash: 7AVEHTVH3MHHC3EU4HIZSMPZVM54JCID
X-Message-ID-Hash: 7AVEHTVH3MHHC3EU4HIZSMPZVM54JCID
X-MailFrom: paul@nohats.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: John R Levine <johnl@taugh.com>, dnsop@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Collision Free Key Tags for DNSSEC draft
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/6KfkcY5vxRiBg2apPZRwrc2YN6g>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Oct 1, 2025, at 07:29, Ondřej Surý <ondrej@sury.org> wrote:
> 
> 
>> On 9. 7. 2025, at 16:43, John R Levine <johnl@taugh.com> wrote:
>> 
>> On Wed, 9 Jul 2025, Petr Špaček wrote:
>>>> https://docs.google.com/presentation/d/1snTpkDcRmJN8bbGx9XrOt5taUdS1xSElMB1Ok8s7Kko
>>> 
>>> I take that as an argument to forbid it!
>>> 
>>> 107 sounds like perfectly tractable number to fix. The two flag days had waaaay wider reach, for example, and way more domains got fixed.
>> 
>> I still don't see the point.
>> 
>> That was a snapshot from a year ago.  If I did it again, the list would be different.  We wouldn't have just to fix the collisions in those 107 domains,
> 
>> we'd have to upgrade *everyone's* software to prevent them in the future.
> 
> Yes, great. That's an excellent operational advice to not run old crap.

Uhmmmm ?  The world isn’t that black and white. Additionally, flag days are bad as it turns production quality and certified solutions into “old crap” on a single unfortunate day in the future these deployments have no reason to monitor or track now.

> 
>> Getting rid of all of the potential collisions would be a great deal of work.
> 
> I disagree. It is not a great deal of work. It is a part of normal operational practice.
> Bugs in software gets fixed, operators upgrade the software.

It is as no one remembered these discussions we had a number of times now. Environments with KSK and ZSK split might find it hard to guarantee this - even if they could, it inserts a human component in a protocol flow where no human is needed now. And the reason for doing so have not convinced many people on this list.

There is no consensus and it is time to drop this idea.

Paul