IETF Logo Mail Archive

[DNSOP] Re: Collision Free Key Tags for DNSSEC draft

John R Levine <johnl@taugh.com> Thu, 17 July 2025 09:20 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id D9B2D451FF48 for <dnsop@mail2.ietf.org>; Thu, 17 Jul 2025 02:20:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.401
X-Spam-Level:
X-Spam-Status: No, score=-4.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="TpF1UlHZ"; dkim=pass (2048-bit key) header.d=taugh.com header.b="058IepD/"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z1pS2TsGTYyO for <dnsop@mail2.ietf.org>; Thu, 17 Jul 2025 02:20:50 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E6DEC451FE9E for <dnsop@ietf.org>; Thu, 17 Jul 2025 02:19:58 -0700 (PDT)
Received: (qmail 55396 invoked from network); 17 Jul 2025 09:19:58 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=d8626878c03e.k2507; t=1752743988; x=1753089588; bh=XZOpP97m6/Orlrh7QODxKvlQjFVwd7X8+E6LVNGNjXQ=; b=TpF1UlHZAderdtY2ei2KfkbuRarTLDrZMUkDkfclAAWr+fDcfGtpI2OBHh6P2/+a+lUGuM1xs1eUtyicHLD6hwNP654fwVc2Jb880TuNaS23gnRNsNTu/2CYm/je8khTxhpZnwX7o0CtXxAAAqOIRMYTfLWo/NjTHCqTHtkI/KGHR9yHlextQVORyYJ82Kr5a4wkIoKavCHrWV4AMFA7PwQzbYHYqLFIwCxGOY21CSlAY+qiHTRbqqqWDuLclmGW652yjO08Fb8+vwMbFc+wowYL0cBHomrGkjp3wCGhZCY5QAU90So0SFXYIpPxNjP0gnNUpoKTzzORoNoIA092Xw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=d8626878c03e.k2507; bh=XZOpP97m6/Orlrh7QODxKvlQjFVwd7X8+E6LVNGNjXQ=; b=058IepD/xKLW64qxWa5HR200BDNH2Hf0URIz5RVPL3uqUmuFEoGtZZlI8kVvrcCFzkF+MF/IBsbl21XT32H6lANCQrJxyfSKR75E24lj58eL4VbSazlBUtXl+CC35A3YVcfp291De5PMCsy62aNDb1fCuWWKA0vt9aa+DS/5ZMr2kuMGwp+O6zIzOksGb1Hl9nix5MNBmt4MHGqqjhlJQYhUz7SQ5OXrfGwb1bm1dFBrH5S5AVKtzJZzrb1M83R7i3Na1EcOV7lgOzfxgG7FgWpi2ZNYpjyXFeKA7Xrg588mpAgXATJtdZCjmJISOH9vG9gcKPYrNI3VTbuMb+1q9w==
Received: from ary.local ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 17 Jul 2025 09:19:57 -0000
Received: by ary.local (Postfix, from userid 501) id D1CB4D3A6783; Thu, 17 Jul 2025 11:19:55 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1]) by ary.local (Postfix) with ESMTP id 8BEB4D3A6765; Thu, 17 Jul 2025 11:19:55 +0200 (CEST)
Date: Thu, 17 Jul 2025 11:19:54 +0200
Message-ID: <4b850b28-20a4-f2a9-ac67-cba85a5ffe5d@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Philip Homburg <pch-dnsop-6@u-1.phicoh.com>, dnsop@ietf.org
In-Reply-To: <m1ubzCO-0000NUC@stereo.hq.phicoh.net>
References: <d279f933-f00c-0392-80e2-0c6928b50af3@taugh.com> <C1251C46-3646-4885-A465-BFAF2BE23334@isc.org> <79638578-1dfc-d48c-9341-46cbde9e7feb@taugh.com> <CAHw9_iK+6xwATjbRs_9ZMNmbiX_SRxHpzbwG3SCN53BmPdqCMg@mail.gmail.com> <F5F9D9E2-90DD-40B1-824B-57C4380DDA67@icann.org> <m1ubcE5-0000NuC@stereo.hq.phicoh.net> <8c4b4f9c-8c8c-7a2d-f2da-9aff895e40f1@nohats.ca> <m1ubhSb-0000NeC@stereo.hq.phicoh.net> <20250715162332.73A0DD34AE04@ary.qy> <m1ubzCO-0000NUC@stereo.hq.phicoh.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Message-ID-Hash: 6ZUWOMKHO7OZRTAN4B7BAUPECQNZZKPE
X-Message-ID-Hash: 6ZUWOMKHO7OZRTAN4B7BAUPECQNZZKPE
X-MailFrom: johnl@taugh.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Collision Free Key Tags for DNSSEC draft
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/YL7bzzijtJW3wZ6zeuvLHYpxzlc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Wed, 16 Jul 2025, Philip Homburg wrote:
> The problem is that recursors just set random limits that seem to work most
> of the time. On the authoritative side, these limits are largely unknown,
> let alone the effect on validation of errors in multiple zones.
>
> Recently as a result of reports of potential DoS attacks, resolvers have
> reduced limits to the point where at cold start queries often exceed those
> limits.

I believe you, but I don't understand why someone would pick this 
particular limit as a hill to die on.  Why not CNAMEs?  Or the number of 
chained NS?  Or the number of RRSIGs?  Or any of a dozen others?

> Discussions about limits fail. And it is not even clear why they fail.
> For example, who would be the affected parties of a BCP that has a
> statement that DNSSEC signers MUST NOT generate key tag collisions?

For a start, those of us who don't understand what that would mean.  Is it 
just advice to zone operators about how to sign?  Does it tell recursors 
to fail as soon as they see a duplicate key tag, even though we know that 
there's a small but nonzero number of innocent collisions?

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

v2.46.0 | Report a Bug | By Email | System Status