[DNSOP] Re: Collision Free Key Tags for DNSSEC draft

Johan Stenstam <johan.stenstam@internetstiftelsen.se> Fri, 12 December 2025 08:46 UTC

Return-Path: <johan.stenstam@internetstiftelsen.se>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 7F9779980285 for <dnsop@mail2.ietf.org>; Fri, 12 Dec 2025 00:46:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -0.697
X-Spam-Level:
X-Spam-Status: No, score=-0.697 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=internetstiftelsen.se
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U4iAfiHwLTd2 for <dnsop@mail2.ietf.org>; Fri, 12 Dec 2025 00:46:40 -0800 (PST)
Received: from GVZP280CU018.outbound.protection.outlook.com (mail-swedencentralazon11022124.outbound.protection.outlook.com [52.101.82.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 1EE59998027D for <dnsop@ietf.org>; Fri, 12 Dec 2025 00:46:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=cEZTvIOgcHdUQoEP/xrWD+6VfncWa4glte4yPq5N0I3/kbSr+qLW8xOEOIXSvD/Mv5RtoDpivyKZvc/0hpvTINVGP/Fy5Mfyg/pmlnSAi99i0Ye/1hzvSHIiTU4FDtGXW2EWa8NHWuEcjvaHVRd/oMOulJWr7ugvxnjGKM3IRxVEZ7qKKW0mO/zc6moiWvYMm2Plb23o2+5ZEw5+yUwh3sK3lp8j05NkJLyEfOgcPeouJba05OHzwytPst0QGal5hXhuHQQwAsczkEgSH0FkwJq0RlVB5d5P7TgLzJkVk2Ydfr6cSGZHxJvmDe5KwTZ52B9Px3YsAwulmquD9o2V1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cWB1s1R62Q1LzdwOE27tPMeHbQBF6Xcchl4EXFnV6Og=; b=n4/pW6lKUaXvZJ2eZ5ZjhOmPht/xfkwgfuTieW7X4+nag8VSQwhJgYF+UHytsDNrlwg1M3xhQYx2mHquPo30UWq4W/GwRd4aUot9Kvtn/6admeOjAA8Z0i/81owQWaxZKfIjANzBLJpM6ebOXf3XOvJ7N193dOHb9gHZg4Uk2WIaXJb35uWgJmCiqRCZ9suN4Yj3XTc4U0QeYyZwgTD1hhytmSrYenA/fHfmWSjIv3r12RAs0l6U5XoqidFP6LJuA7uoPUjd/hUONe8oBj1xhalx8d8cjU1bGWSHeWVX0KHGrDU1rSTuVCblozB1TWra8kgJxrLDAjEFEE8pQK7Q/w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=internetstiftelsen.se; dmarc=pass action=none header.from=internetstiftelsen.se; dkim=pass header.d=internetstiftelsen.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=internetstiftelsen.se; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cWB1s1R62Q1LzdwOE27tPMeHbQBF6Xcchl4EXFnV6Og=; b=uQsJBmivlpbdLTKYMQXl0a42KUMAClmXe9ydE4c0zAZxuwm3tGsVxlbESY4wWgdjIMT/hGNDTP3CTDK3cPLXxlC/nQ8MpHtJKY2j0sEd8wlT4PkghMSHPWwzYh0h2Lr9/O/1t+INRtjAFT0LrZALlHGP6eBedmXoRZN54VrEOPhBITDIFkKFaohyEshqTYWwwH/AA++6C7i9NwzT//dy50zfVuYj5JbdejkyO9dMF3IU4Es00zIPgxT2v1fCaZ4gcReq4/z7JQNXdyStNv4tvCQOtwUgS47+uZ2V13FCTdWb+yPrvy5GTQYFpvED16nLDC0EihmAqgEQF7rdsGsk9g==
Received: from GVYP280MB0112.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:1b::5) by GVYP280MB0891.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:ee::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9412.11; Fri, 12 Dec 2025 08:46:29 +0000
Received: from GVYP280MB0112.SWEP280.PROD.OUTLOOK.COM ([fe80::f7d:805c:bd5d:abc2]) by GVYP280MB0112.SWEP280.PROD.OUTLOOK.COM ([fe80::f7d:805c:bd5d:abc2%7]) with mapi id 15.20.9412.005; Fri, 12 Dec 2025 08:46:28 +0000
From: Johan Stenstam <johan.stenstam@internetstiftelsen.se>
To: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [DNSOP] Collision Free Key Tags for DNSSEC draft
Thread-Index: AQHca0POs3Rfd9sAnkW6F70+6y7//g==
Date: Fri, 12 Dec 2025 08:46:28 +0000
Message-ID: <80BE1B90-6F86-4A58-AE9F-3BA3D7CB63DF@internetstiftelsen.se>
References: <c573f382-7b15-4ea4-a5a7-8db31b5242df@isc.org> <D2D1AF33-E3A5-4C3D-8B16-4124EB64210C@nohats.ca> <m1vQ6Fw-0000MyC@stereo.hq.phicoh.net> <20251201170919.7F96BE9BF631@ary.qy> <9b066a6b-2aa9-4f9a-88d7-f3892210c86f@isc.org> <ydgrc26yg4yyu45cykdy3b7q52tkqy7qohg2sjgy4krwgqfdz2@omr4qadlmpm2> <m1vQhuy-0000NUC@stereo.hq.phicoh.net> <c9e836c0-9c7e-4cc6-8b08-2470fdb150d9@desec.io>
In-Reply-To: <c9e836c0-9c7e-4cc6-8b08-2470fdb150d9@desec.io>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=internetstiftelsen.se;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVYP280MB0112:EE_|GVYP280MB0891:EE_
x-ms-office365-filtering-correlation-id: f59ff56c-8304-405d-b5f4-08de395af10d
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|376014|4053099003|38070700021;
x-microsoft-antispam-message-info: QkP8NDx9/W72TygabljrkPtJiX2ko3MrBCKX1/JmwpFQRPLVuLn0WmDY/2ihx3l0UpFbjsmaHsjbsKVvwfhzkQO9spPg1mj40YdA6HRnUc+6WkhpioNENLjQ6KFCi2dZH7kItkxe8hYc8Mc0rVHdIfZNM47W7B7T6AVT8Wh34rsvJgf4VyACwY9ELnVOSpnmATJwOi+c5czzvarzwLfJGql+0yzLG0nYwRRsPf78vZjiRXu7UEIF/3XyB031zkMQl4Akcyeu6fV8+UhFKzksJvI8xc+7ZbeOAbjTNvesamMYvoBies71sbv3rqzm0Popylf4zrgSpgjX5EVd7u1SpZdkQSISs4apwtOy5DMCJyptvqUBVguiuAt5aPddzGqdHEfqsEr4V552HxtMdN5rwLYioXFz7LYju13lYgG1tfJdfTABVopnYOf5/f8r/fzi5wUiKWl/N7WnwsRiUazGcIk7R3cohiAEh497ZVR4hzTYnHtUxuVH/rsHAt7X4kOZpY51qHnVyCKf+ohmKGL0DV8AoK14flTCZQ0g6CNsr9BN9e1kAiPpIaGiVMT2cI3kIEwPyfcttThpMmT2+dwso4HEYuzqw2AmF8XKf3bp+h8vzq+61nXvacXKoqoq64FduTx5PZ4DdAj0WrUiEqFE8Oj4RV6n4C5Ryr2VmfycosSxg54noB+ZcX1WDi+0mgGLXFpWFkZ4rHFMsu0Jp9icm503l98P29awPur0AVjV/x+BoLRUeIPHQ7rc5I4ryvRpHkCoxt9j2XIVNNZrBXR0QF2bMuo/vinudLLh17F4NVMLrUnL0fslZ9OoAhTIOAvqEwP4fyomSKrIIZBMncy/aisQoJ4KO5DjUjNnz1ALt8CoG77+sioz4PccFa8lV3iaI1LlyX2mXf6DgoSyymJZT1h24x6Zg9rIAyxeZlXtpioHO1EwEM7es+hHu20HGSPbiCtbCai/O5hqTv//pLXlf7ZhQnFHEUEuAm1m7rzcCFSQcuuIhhBSbJMvQn0lR/l4msQ61qAQ0UTD9kqq6AUP5QDAO3yJFTvc45WWdTzO2bi0Czg+sDUjel9oS/NQZz4R1v/8ID5PDp8kfubRLB6YoCyseGHwf6NAtvLqkDloiIcwqocPXXl7VjnfIZxzu+/KEEFEtu9F1pBensJtMHpJvEnehJj1s80pwatkJv/1Gkm1sK2B0IFtKx+PQBH+HQ0bqXuD39PvHHAKgKTEEdH3N9ckks8OgJLLmmZPU10dytqFieBmtPJx/gfAI6+BhrMQkpzGCPmItYPHtMp2nE/L5cW6o2DF6XaU+jyjZsPCvtB5hWQSMEL5c5eG1/dPVOns2JchD0b9s5Mmie18b6dnddJoulRD7j1vYYg2A2NuvOUd1o92fsNf9QHIc78O1PEItPLKZ3ZEitO0+zt1vzOITy/CWfOUS0bKRhUhxdEaB8aBJCWrFp4xYzhH4Qgyowtw4VQDVFnBaP4SqWaEWn8Ot3hJD1bU2QYUI5aVINri5A5Ti3riHWsY9XPipA2VmYzh
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVYP280MB0112.SWEP280.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(4053099003)(38070700021);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: HS8DkCHT8NJFcqTrxo3EAUGlomb3OS5oFiEucO/fw4dDUQf1sS++pyYDE8ZOLjx3qe/Q6O9LPeccHJJ7eyX0RVkRFSgMn0S4TePa2mVTYkZY6Bes/cpN5PC96IIXPijiLPAQwr7WR9nfsVvQefi1TmRC79lDwzw19qTW4jJs8udIXrtBo/bVWI2va922z4MMgpy6jxt4taormlMyJ+3P+09/bm/IXDoUi4EohVXD4FUpsgm0VmDG50nRvGidpYmPjopXsBhc7u5ipeNi/GiV30YvV8Zpgu6IUPXyOn1lNnpGbh68vVCjWcVYo4zdwpmMuyJGeLdMd4HuZf+abOfM4oGlBltgM8r+Z4pXH8eRqprwVY2p6tF1i0koJD0TtVKobGCEUH6RWB/kiFKmh/k8xqlaMLKtWjPEl3JFuR7dgP2AOlwMCHS+ZuIyT6uBQMURwgbioOLV1oOQ6o/WkO7nnYrfQK+7yZ13gWMpW/CD5UZEddMJ+4WWOgoA5L6/M2uk/+5gMaEDSsDKSUZ5GTsobcMlW8pL4vx2rNq/TQ+1D6SxR90nDORFY6n1HupLlBgb9Zx9AWmgBOnckFXDNvj2lwQ1ZhBAH1fxQD+iQowEVdU/HNcx81+lu9o1XC7qlzTRqRdM4HmlL1ynRaAu9C+xX/CveFiVMwyI0mqoBZ4FxJz4ToeaX1pyJSsRW14f8xrxVVL6EVCsSV3QT15C2lUtp/98njATQ0H1fppUCBJbB/hvN7FbvsFfiLfEwagtUcZE1PVOpHxDN+1+1ktStl42OqpyDZke1uJku8rsLfjiDgOACw3pYO3OPmP6YVfItzsoSYL9H+z6zowBvRnJyttTqYoY/yQMj4dT9Nw1a8t1t64XoDbDPmUn9QujFtQF+KSbufWQbltv1kHcOzJ3CSJdCzdu3OJJIJhLsaW9xYE2Nc+dJ1WNPuNBgj3L1+LQ8ky0j7OkNrGjaQGlWuapulZEdiClbDL9z5QyQ1UkAOZubBeSmJt3555KtELO6Jw1OjNtlKJC+UpTZbc94cWkC+wmn07IjZoijCB9yJMRFJvhJAMW3rb/5MDSfU9QEninwdPPTN0YjU/vGY3XasCiM5saLui2pT9Yinzs+dTHOeqCdYmYcjfBOy9oHTyI5f6ED8C4sX8Oco62iLdGzsziU4WC1++L46glkR4O+qmPlGmtdDZBLqNGkCsAT89hgDUbKMWkYWM0PaHU2IVQG4uc4uJawEBSbofBGUShURp+CEU92uG+PaVHbxkrWTnQpRvgEo40vm9vjxHBksFbEN0QdOuE0PQeaMnO87sTsY7nnshjxbukMK+NuDwxOjNnuly40G2TiCkm4iLGZYar5gtAOVqflEi+PE/fxPrKjHxTSedMDackh22AFVe86VzDAe1m0req1StySwiv64FL5jsi+C3WmmXHElA1LbEURnFclwv6cGv1Fs0x0+aNHy9FXgkdxVYKJw4vJ1datDScQE3WIQI2urVrbnkKcuEQ6t6fKYbvIzUVaJQyZRGD9/ssHxjOeRUW9gjZbwhubD7ZumTlerC2cOdY6ZNxl4kCjdJ7SFnVsuOHk4IUpk6YVA7t1HJfXJuM3C7xhUkMDgMVsAVsGVJgOJFpDJbzXiudawxC3siUbkI=
Content-Type: multipart/signed; boundary="Apple-Mail=_75587369-62EB-4A60-8855-651596B09A41"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-OriginatorOrg: internetstiftelsen.se
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVYP280MB0112.SWEP280.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: f59ff56c-8304-405d-b5f4-08de395af10d
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Dec 2025 08:46:28.7119 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c2aa68f8-18f3-48ae-81ba-02301d121d9a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8bL9DIlUw+XhGahi6APwJ9vmLJBL0UvK/zdkxFNTWauI+FOKjIxdOkPtg1foRzBaVjJoM4NqNO8o7JqOPjxFiuLH1Xmys4QZ+D8CixkMBb/X89BFsta4q+MO+gE3hQP4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVYP280MB0891
Message-ID-Hash: PNZJK7C6ISDK4M6CNQUHQHVLITAP33UQ
X-Message-ID-Hash: PNZJK7C6ISDK4M6CNQUHQHVLITAP33UQ
X-MailFrom: johan.stenstam@internetstiftelsen.se
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Philip Homburg <pch-dnsop-7@u-1.phicoh.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Collision Free Key Tags for DNSSEC draft
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/D0EgkaM4bSCpWMqluk2RfFaVMeI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

I’ve been watching this thread, on and off, for months, with the intent of not commenting.

I admit to finding it a bit fascinating that this issue, which more or less everyone seem to agree is, well, marginal and has simple solutions has soaked up more than 100 replies over last five months.

That’s a significant fraction of the working group activity during that time.

I shouldn’t say this but I will: This is bike shedding.

That said, I mean absolutely no disrespect to the authors. I happen to agree with the draft (i.e. I would prefer disallowing key tag collisions in the future), but that’s beside the point.

Philip Homburg wrote:

> In my opinion this is a quality of implementation issue. We should
> not design a multi-signer protocol that has collision even if there is
> no document that requires it.
> 
> You are right that it requires extra effort. But it has also 
> benefits. For example testing software if all code paths properly handle
> keys with key tag collisions is also unpleasant.

This is my view too. It aligns with the old mantra of “be conservative with what you send and liberal with what you accept”.

Johan