[DNSOP] Re: Collision Free Key Tags for DNSSEC draft
John R Levine <johnl@taugh.com> Sun, 13 July 2025 20:12 UTC
Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 6E749438ECF0 for <dnsop@mail2.ietf.org>; Sun, 13 Jul 2025 13:12:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.401
X-Spam-Level:
X-Spam-Status: No, score=-4.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="jRq7PqV9"; dkim=pass (2048-bit key) header.d=taugh.com header.b="hm/7G1k/"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XCSWFa_xw4a9 for <dnsop@mail2.ietf.org>; Sun, 13 Jul 2025 13:12:17 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id C7114438ECEB for <dnsop@ietf.org>; Sun, 13 Jul 2025 13:12:17 -0700 (PDT)
Received: (qmail 53410 invoked from network); 13 Jul 2025 20:12:17 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding; s=d0a068741321.k2507; t=1752437527; x=1752783127; bh=Y8HM8lVkQlZO4YwVEpIf4bJH+SMDGPYn6yeAtIKKLD0=; b=jRq7PqV99cBgfIh0wcQlPNjJ1Yc3ZT2BfgrdrxVJ8RQU0XLLKtDgklzNxau0GTOyp8bdDeapWTNOP7RFA6lkEKVYYi6K9C1hBvhKcvJRJAUJyLNxLj5jQ5azUdLcpJrSlyE1HDgSn9FYYPTjhjBRHssnO8JDkPnoduxxc6opNpPCZEzQ2/FDxM/hGb+tlMDfelts5lLQjzTGCfjC+Ilbvoimid83uYzdd8nTIZWCaLrkLa/QmMb6+CagSR1WP7+8dla4t9NZEtUvK0po93TMj/2r/WpgFxxp7zfNY42C0ofYKiUBQ3hRgn8yAVhqR7z+8LHQJiqos8U/Gx0yBq5+7Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding; s=d0a068741321.k2507; bh=Y8HM8lVkQlZO4YwVEpIf4bJH+SMDGPYn6yeAtIKKLD0=; b=hm/7G1k/d7qpQ1RlLfbERo+ts5WEyN4nQUjbTm8BvpldGpJRPoCxY7QOGrUXJknXOZuQ9SJldzJVih3CBxrZfw+Jbl34QYxvACeYPoz/mcitKvEC/NTqH/I9E6MaFbN/NSANxvSDGq9M9PBvT43zGGemE4Ic+s7FH3bbYM/9HieuFiH2iwKktUP3MDOHBTQATYMQ7GDJd0wGoCLzbPAYfVTlJyYkwLuOCM5k/DtAzc1R2CDGoisoCbJMj4ymvyVW75v9/2g4vawrMnhqRtqJsO9CHNtJjnMw/iJctpTW4vYhBQ1YXsJysXZAX36mtSmie4uLOvgMG4zix5V4cbdrng==
Received: from ary.qy ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 13 Jul 2025 20:12:16 -0000
Received: by ary.qy (Postfix, from userid 501) id 48215D31189A; Sun, 13 Jul 2025 16:12:16 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id 10783D31187C; Sun, 13 Jul 2025 16:12:16 -0400 (EDT)
Date: Sun, 13 Jul 2025 16:12:15 -0400
Message-ID: <79638578-1dfc-d48c-9341-46cbde9e7feb@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Mark Andrews <marka@isc.org>
In-Reply-To: <C1251C46-3646-4885-A465-BFAF2BE23334@isc.org>
References: <d279f933-f00c-0392-80e2-0c6928b50af3@taugh.com> <C1251C46-3646-4885-A465-BFAF2BE23334@isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: VUKTYFMUVI7JOHHB4HEM6BIRW6JH4QCD
X-Message-ID-Hash: VUKTYFMUVI7JOHHB4HEM6BIRW6JH4QCD
X-MailFrom: johnl@taugh.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Collision Free Key Tags for DNSSEC draft
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/hamH9grEUVWaTqzZBX6EhYffnSY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
On Mon, 14 Jul 2025, Mark Andrews wrote: > John you keep stating that everything is working ok. We only have a small percentage of all responses signed, multiple signers are already enforcing the desired behaviour. There is also no requirement that every key signs every RRset so there isn’t always another RRSIG to try to compare against. There also isn’t a lot headroom in the system as the percentage of zones being signed increases and with that more verifies per resolution. > Having trial and error in the protocol is a design error IMHO. We are trying to fix that error. Yes there is an installed base but that is not a reason to not fix the error. We're talking past each other. While I think it would be a fine idea for zone signers to avoid duplicate keys, it should be obvious that no matter what we say, there will be duplicate keys and resolvers have to defend against it, so nothing will get simpler. As I said to Warren, as operational advice, sure. But writing MUST and expecting things to change in the next decade is silly. R's, John
- [DNSOP] Collision Free Key Tags for DNSSEC draft Shumon Huque
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Peter Thomassen
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Libor Peltan
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Paul Wouters
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Yorgos Thessalonikefs
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Libor Peltan
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Jim Reid
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Ted Lemon
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Ted Lemon
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Jim Reid
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Peter Thomassen
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Steve Crocker
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Steve Crocker
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Warren Kumari
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Warren Kumari
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Ralf Weber
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Paul Hoffman
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Paul Wouters
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… John Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Paul Wouters
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Libor Peltan
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… John Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Petr Špaček
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… John Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… John R Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Mark Andrews
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Shumon Huque
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Petr Špaček
- [DNSOP] Re: [Ext] Collision Free Key Tags for DNS… Paul Hoffman
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Ondřej Surý
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Yorgos Thessalonikefs
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Paul Wouters
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Paul Hoffman
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Paul Hoffman
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Paul Wouters
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Ondřej Surý
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Ted Lemon
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Libor Peltan
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Joe Abley
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Paul Wouters
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Miek Gieben
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Peter Thomassen
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Peter Thomassen
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Libor Peltan
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Johan Stenstam
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Libor Peltan
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine