[DNSOP] Re: Collision Free Key Tags for DNSSEC draft
Paul Wouters <paul@nohats.ca> Wed, 01 October 2025 18:10 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id AE37F6BFA03F for <dnsop@mail2.ietf.org>; Wed, 1 Oct 2025 11:10:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.399
X-Spam-Level:
X-Spam-Status: No, score=-4.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7GGYs1TexqUz for <dnsop@mail2.ietf.org>; Wed, 1 Oct 2025 11:10:13 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id F1CD16BFA037 for <dnsop@ietf.org>; Wed, 1 Oct 2025 11:10:12 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4ccNHw4qpfz9nm; Wed, 1 Oct 2025 20:10:04 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1759342204; bh=rimVes1IQXMK702UxEU1ShMbf/pnUuUp01u2822OBq4=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=uhhNdktK6sDC+lzsY9qzUVxP42Iy9he36s4oyGHxPDiG3ogAN+aSlbUpcZTM36L9J l3Zu8yPcXglLY7mJ3Ti+gAhwmtY7anIFqIWq6z9ZcZYU4MeSDPRpTlKHuSXj/BN+1O chtUtSWKpo+C2TP/JwawTMPN11fPr3imVgM3t60A=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id FdXoXE74pk16; Wed, 1 Oct 2025 20:10:03 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 1 Oct 2025 20:10:03 +0200 (CEST)
Received: from smtpclient.apple (unknown [72.136.119.159]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id DDE8317168E2; Wed, 01 Oct 2025 14:10:01 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Paul Wouters <paul@nohats.ca>
Mime-Version: 1.0 (1.0)
Date: Wed, 01 Oct 2025 14:09:48 -0400
Message-Id: <D3A20344-C1C0-4B19-A210-340662421966@nohats.ca>
References: <D48EDF62-3F16-4B4B-B73D-5F345527ACA4@sury.org>
In-Reply-To: <D48EDF62-3F16-4B4B-B73D-5F345527ACA4@sury.org>
To: Ondřej Surý <ondrej@sury.org>
X-Mailer: iPhone Mail (22G100)
Message-ID-Hash: 7AVEHTVH3MHHC3EU4HIZSMPZVM54JCID
X-Message-ID-Hash: 7AVEHTVH3MHHC3EU4HIZSMPZVM54JCID
X-MailFrom: paul@nohats.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: John R Levine <johnl@taugh.com>, dnsop@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Collision Free Key Tags for DNSSEC draft
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/6KfkcY5vxRiBg2apPZRwrc2YN6g>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
On Oct 1, 2025, at 07:29, Ondřej Surý <ondrej@sury.org> wrote: > > >> On 9. 7. 2025, at 16:43, John R Levine <johnl@taugh.com> wrote: >> >> On Wed, 9 Jul 2025, Petr Špaček wrote: >>>> https://docs.google.com/presentation/d/1snTpkDcRmJN8bbGx9XrOt5taUdS1xSElMB1Ok8s7Kko >>> >>> I take that as an argument to forbid it! >>> >>> 107 sounds like perfectly tractable number to fix. The two flag days had waaaay wider reach, for example, and way more domains got fixed. >> >> I still don't see the point. >> >> That was a snapshot from a year ago. If I did it again, the list would be different. We wouldn't have just to fix the collisions in those 107 domains, > >> we'd have to upgrade *everyone's* software to prevent them in the future. > > Yes, great. That's an excellent operational advice to not run old crap. Uhmmmm ? The world isn’t that black and white. Additionally, flag days are bad as it turns production quality and certified solutions into “old crap” on a single unfortunate day in the future these deployments have no reason to monitor or track now. > >> Getting rid of all of the potential collisions would be a great deal of work. > > I disagree. It is not a great deal of work. It is a part of normal operational practice. > Bugs in software gets fixed, operators upgrade the software. It is as no one remembered these discussions we had a number of times now. Environments with KSK and ZSK split might find it hard to guarantee this - even if they could, it inserts a human component in a protocol flow where no human is needed now. And the reason for doing so have not convinced many people on this list. There is no consensus and it is time to drop this idea. Paul
- [DNSOP] Collision Free Key Tags for DNSSEC draft Shumon Huque
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Peter Thomassen
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Libor Peltan
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Paul Wouters
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Yorgos Thessalonikefs
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Libor Peltan
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Jim Reid
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Ted Lemon
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Ted Lemon
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Jim Reid
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Peter Thomassen
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Steve Crocker
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Steve Crocker
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Warren Kumari
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Warren Kumari
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Ralf Weber
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Paul Hoffman
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Paul Wouters
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… John Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Paul Wouters
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Libor Peltan
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… John Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Petr Špaček
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… John Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… John R Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Mark Andrews
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Shumon Huque
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Petr Špaček
- [DNSOP] Re: [Ext] Collision Free Key Tags for DNS… Paul Hoffman
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Ondřej Surý
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Yorgos Thessalonikefs
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Paul Wouters
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Paul Hoffman
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Paul Hoffman
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Paul Wouters
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Ondřej Surý
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Ted Lemon
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Libor Peltan
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Joe Abley
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Paul Wouters
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Miek Gieben
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Peter Thomassen
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Peter Thomassen
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Libor Peltan
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Johan Stenstam
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Libor Peltan
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine