Re: [DNSOP] [Ext] About key tags

Peter Thomassen <peter@desec.io> Tue, 27 February 2024 18:51 UTC

Message-ID: <f8033eb5-2a26-421a-a40b-826c2eaecbbb@desec.io>
Date: Tue, 27 Feb 2024 13:50:48 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Mark Andrews <marka@isc.org>, Bob Harold <rharolde@umich.edu>
Cc: Ralf Weber <dns@fl1ger.de>, Paul Hoffman <paul.hoffman@icann.org>, IETF DNSOP WG <dnsop@ietf.org>
References: <149c1bd9-6494-429c-8e87-e6a35c5e51de@isc.org> <E1E4C8E8-6D48-430E-9467-DEA2D37640D1@nohats.ca> <1C718716-6F4D-4002-86F7-98EF4DF1D636@akamai.com> <B6EADAB1-AE76-43CD-A127-32ECE3A65324@icann.org> <14F59E40-A2EF-4ACE-9AC3-6AE4D8C59A88@fl1ger.de> <7AA5AD7C-5A9B-4144-B7EB-DC2F2E9EF2B2@icann.org> <7137A5D8-276E-4D60-A8E2-F8446641DFDA@fl1ger.de> <CA+nkc8ARnBctoah5EkY9vpXzJ_TH6wX1dO=bZTKh5Lu1cw=XEg@mail.gmail.com> <06B7D221-FF3C-41EF-8B0C-DE66F5091087@isc.org>
Content-Language: en-US
From: Peter Thomassen <peter@desec.io>
In-Reply-To: <06B7D221-FF3C-41EF-8B0C-DE66F5091087@isc.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/LXGBcYcYROlOXfS8O8VSo25DJAs>
Subject: Re: [DNSOP] [Ext] About key tags
Precedence: list


On 2/15/24 22:53, Mark Andrews wrote:
> But we can state that they should be avoided when generating new DNSKEYs. BIND has been avoiding key tag collisions for 2 decades now when generating new keys. Multi-signers all have to have the current published DNSKEY RRset which includes *all* DNSKEYs as part of their publication process.
Multi-signer peers do not need to publish each other's KSKs. A DNSKEY response only needs to contain the KSK suitable for validating the response RRset itself (i.e., the responding peer's KSK), and any ZSKs/CSKs that may be needed for validation of other responses.

Multi-signers thus aren't necessarily aware of keytag collisions across KSKs.

When using DS provisioning automation via CDS/CDNKSEY, they'll have to exchange each other's KSKs for publishing a joint C* RRset (as in draft-thomassen-dnsop-mske). The collision could be detected then, but using C* automation is not required.

Best,
Peter

[DNSOP] About key tags Edward Lewis
Re: [DNSOP] [Ext] About key tags Arnold DECHAMPS
Re: [DNSOP] About key tags Mark Andrews
Re: [DNSOP] About key tags Wellington, Brian
Re: [DNSOP] [Ext] Re: About key tags Edward Lewis
Re: [DNSOP] [Ext] About key tags Mark Andrews
Re: [DNSOP] [Ext] About key tags Petr Špaček
Re: [DNSOP] [Ext] About key tags Edward Lewis
Re: [DNSOP] [Ext] About key tags Joe Abley
Re: [DNSOP] [Ext] About key tags Petr Špaček
Re: [DNSOP] [Ext] About key tags Edward Lewis
Re: [DNSOP] [Ext] About key tags Havard Eidnes
Re: [DNSOP] [Ext] About key tags Shumon Huque
Re: [DNSOP] [Ext] About key tags Edward Lewis
Re: [DNSOP] [Ext] About key tags Yorgos Thessalonikefs
Re: [DNSOP] [Ext] About key tags Jim Reid
Re: [DNSOP] [Ext] About key tags Shumon Huque
Re: [DNSOP] [Ext] About key tags Edward Lewis
Re: [DNSOP] [Ext] About key tags Ralf Weber
Re: [DNSOP] [Ext] About key tags Jim Reid
Re: [DNSOP] [Ext] About key tags Shumon Huque
Re: [DNSOP] [Ext] About key tags Ralf Weber
Re: [DNSOP] [Ext] About key tags Petr Špaček
Re: [DNSOP] [Ext] About key tags Edward Lewis
Re: [DNSOP] [Ext] About key tags Paul Hoffman
Re: [DNSOP] [Ext] About key tags Donald Eastlake
Re: [DNSOP] [Ext] About key tags Edward Lewis
Re: [DNSOP] [Ext] About key tags Petr Špaček
Re: [DNSOP] [Ext] About key tags Paul Wouters
Re: [DNSOP] [Ext] About key tags Paul Hoffman
Re: [DNSOP] [Ext] About key tags Paul Wouters
Re: [DNSOP] [Ext] About key tags Wellington, Brian
Re: [DNSOP] [Ext] About key tags Paul Hoffman
Re: [DNSOP] [Ext] About key tags Wellington, Brian
Re: [DNSOP] [Ext] About key tags Ralf Weber
Re: [DNSOP] [Ext] About key tags Paul Wouters
Re: [DNSOP] [Ext] About key tags Philip Homburg
Re: [DNSOP] [Ext] About key tags Edward Lewis
Re: [DNSOP] [Ext] About key tags Ralf Weber
Re: [DNSOP] [Ext] About key tags Paul Hoffman
Re: [DNSOP] [Ext] About key tags Ralf Weber
Re: [DNSOP] [Ext] About key tags Bob Harold
Re: [DNSOP] [Ext] About key tags Ted Lemon
Re: [DNSOP] [Ext] About key tags Mark Andrews
Re: [DNSOP] [Ext] About key tags Edward Lewis
Re: [DNSOP] [Ext] About key tags Jim Reid
Re: [DNSOP] [Ext] About key tags libor.peltan
Re: [DNSOP] [Ext] Re: About key tags Edward Lewis
Re: [DNSOP] [Ext] About key tags Joe Abley
Re: [DNSOP] [Ext] About key tags Petr Špaček
Re: [DNSOP] [Ext] About key tags Jim Reid
Re: [DNSOP] [Ext] About key tags Jim Reid
Re: [DNSOP] [Ext] About key tags Edward Lewis
Re: [DNSOP] [Ext] About key tags Shumon Huque
Re: [DNSOP] [Ext] About key tags Peter Thomassen
Re: [DNSOP] [Ext] About key tags Peter Thomassen
Re: [DNSOP] [Ext] About key tags Mark Andrews
Re: [DNSOP] [Ext] About key tags Paul Hoffman
Re: [DNSOP] [Ext] About key tags John Levine
Re: [DNSOP] [Ext] About key tags Mark Andrews
Re: [DNSOP] [Ext] About key tags Mark Andrews
Re: [DNSOP] [Ext] About key tags John R Levine
Re: [DNSOP] [Ext] About key tags and sensible lim… John Levine
Re: [DNSOP] [Ext] About key tags Paul Wouters
Re: [DNSOP] [Ext] About key tags libor.peltan
Re: [DNSOP] [Ext] About key tags John Levine
Re: [DNSOP] [Ext] About key tags Mark Andrews
Re: [DNSOP] [Ext] About key tags Shumon Huque
Re: [DNSOP] [Ext] About key tags Paul Hoffman
Re: [DNSOP] [Ext] About key tags and their infreq… John R Levine
Re: [DNSOP] [Ext] About key tags Edward Lewis
Re: [DNSOP] [Ext] About key tags Shumon Huque
Re: [DNSOP] [Ext] About key tags Mark Andrews
Re: [DNSOP] [Ext] About key tags Mark Andrews
Re: [DNSOP] [Ext] About key tags Mark Andrews
Re: [DNSOP] [Ext] About key tags Paul Wouters
Re: [DNSOP] [Ext] About key tags and collision nu… John R Levine
Re: [DNSOP] [Ext] About key tags Paul Hoffman
Re: [DNSOP] [Ext] About key tags and collision nu… Mark Andrews
Re: [DNSOP] [Ext] About key tags Ralf Weber
Re: [DNSOP] [Ext] About key tags Edward Lewis
Re: [DNSOP] [Ext] About key tags Joe Abley
Re: [DNSOP] [Ext] About key tags Shumon Huque
Re: [DNSOP] [Ext] About key tags Ted Lemon
Re: [DNSOP] [Ext] About key tags Paul Wouters
Re: [DNSOP] [Ext] About key tags John R Levine
Re: [DNSOP] [Ext] About key tags Mark Andrews
Re: [DNSOP] [Ext] About key tags Lanlan Pan
Re: [DNSOP] [Ext] About key tags Paul Wouters
Re: [DNSOP] [Ext] About key tags Edward Lewis
Re: [DNSOP] [Ext] About key tags Philip Homburg
Re: [DNSOP] [Ext] About key tags Edward Lewis
Re: [DNSOP] [Ext] About key tags Philip Homburg
Re: [DNSOP] [Ext] About key tags Arnold DECHAMPS
Re: [DNSOP] [Ext] About key tags John R Levine
Re: [DNSOP] [Ext] About key tags Joe Abley
Re: [DNSOP] [Ext] About key tags Philip Homburg
Re: [DNSOP] [Ext] About key tags John R Levine
Re: [DNSOP] [Ext] About key tags Bob Harold
Re: [DNSOP] [Ext] About key tags Mark Andrews
Re: [DNSOP] [Ext] About key tags John R Levine
Re: [DNSOP] [Ext] About key tags Philip Homburg
Re: [DNSOP] [Ext] About key tags Philip Homburg
Re: [DNSOP] [Ext] About key tags Philip Homburg
Re: [DNSOP] [Ext] About key tags Philip Homburg
Re: [DNSOP] [Ext] About key tags Peter Thomassen
Re: [DNSOP] [Ext] About key tags Philip Homburg
Re: [DNSOP] [Ext] About key tags Edward Lewis
Re: [DNSOP] [Ext] About key tags Peter Thomassen
Re: [DNSOP] [Ext] About key tags John R Levine
Re: [DNSOP] [Ext] About key tags Shumon Huque
Re: [DNSOP] [Ext] About key tags John Levine
Re: [DNSOP] [Ext] About key tags Philip Homburg
Re: [DNSOP] [Ext] Nothing more useful to say Abou… John Levine
Re: [DNSOP] [Ext] About key tags John Levine
Re: [DNSOP] [Ext] Nothing more useful to say Abou… Philip Homburg
Re: [DNSOP] [Ext] Nothing more useful to say Abou… John Levine
Re: [DNSOP] [Ext] About key tags Dave Lawrence
Re: [DNSOP] [Ext] About key tags Shumon Huque
Re: [DNSOP] [Ext] About key tags Philip Homburg
Re: [DNSOP] [Ext] About key tags Edward Lewis
Re: [DNSOP] [Ext] About key tags Petr Špaček