[DNSOP] Re: Collision Free Key Tags for DNSSEC draft

John R Levine <johnl@taugh.com> Sun, 13 July 2025 20:12 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 6E749438ECF0 for <dnsop@mail2.ietf.org>; Sun, 13 Jul 2025 13:12:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.401
X-Spam-Level:
X-Spam-Status: No, score=-4.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="jRq7PqV9"; dkim=pass (2048-bit key) header.d=taugh.com header.b="hm/7G1k/"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XCSWFa_xw4a9 for <dnsop@mail2.ietf.org>; Sun, 13 Jul 2025 13:12:17 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id C7114438ECEB for <dnsop@ietf.org>; Sun, 13 Jul 2025 13:12:17 -0700 (PDT)
Received: (qmail 53410 invoked from network); 13 Jul 2025 20:12:17 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding; s=d0a068741321.k2507; t=1752437527; x=1752783127; bh=Y8HM8lVkQlZO4YwVEpIf4bJH+SMDGPYn6yeAtIKKLD0=; b=jRq7PqV99cBgfIh0wcQlPNjJ1Yc3ZT2BfgrdrxVJ8RQU0XLLKtDgklzNxau0GTOyp8bdDeapWTNOP7RFA6lkEKVYYi6K9C1hBvhKcvJRJAUJyLNxLj5jQ5azUdLcpJrSlyE1HDgSn9FYYPTjhjBRHssnO8JDkPnoduxxc6opNpPCZEzQ2/FDxM/hGb+tlMDfelts5lLQjzTGCfjC+Ilbvoimid83uYzdd8nTIZWCaLrkLa/QmMb6+CagSR1WP7+8dla4t9NZEtUvK0po93TMj/2r/WpgFxxp7zfNY42C0ofYKiUBQ3hRgn8yAVhqR7z+8LHQJiqos8U/Gx0yBq5+7Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding; s=d0a068741321.k2507; bh=Y8HM8lVkQlZO4YwVEpIf4bJH+SMDGPYn6yeAtIKKLD0=; b=hm/7G1k/d7qpQ1RlLfbERo+ts5WEyN4nQUjbTm8BvpldGpJRPoCxY7QOGrUXJknXOZuQ9SJldzJVih3CBxrZfw+Jbl34QYxvACeYPoz/mcitKvEC/NTqH/I9E6MaFbN/NSANxvSDGq9M9PBvT43zGGemE4Ic+s7FH3bbYM/9HieuFiH2iwKktUP3MDOHBTQATYMQ7GDJd0wGoCLzbPAYfVTlJyYkwLuOCM5k/DtAzc1R2CDGoisoCbJMj4ymvyVW75v9/2g4vawrMnhqRtqJsO9CHNtJjnMw/iJctpTW4vYhBQ1YXsJysXZAX36mtSmie4uLOvgMG4zix5V4cbdrng==
Received: from ary.qy ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 13 Jul 2025 20:12:16 -0000
Received: by ary.qy (Postfix, from userid 501) id 48215D31189A; Sun, 13 Jul 2025 16:12:16 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id 10783D31187C; Sun, 13 Jul 2025 16:12:16 -0400 (EDT)
Date: Sun, 13 Jul 2025 16:12:15 -0400
Message-ID: <79638578-1dfc-d48c-9341-46cbde9e7feb@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Mark Andrews <marka@isc.org>
In-Reply-To: <C1251C46-3646-4885-A465-BFAF2BE23334@isc.org>
References: <d279f933-f00c-0392-80e2-0c6928b50af3@taugh.com> <C1251C46-3646-4885-A465-BFAF2BE23334@isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: VUKTYFMUVI7JOHHB4HEM6BIRW6JH4QCD
X-Message-ID-Hash: VUKTYFMUVI7JOHHB4HEM6BIRW6JH4QCD
X-MailFrom: johnl@taugh.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Collision Free Key Tags for DNSSEC draft
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/hamH9grEUVWaTqzZBX6EhYffnSY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Mon, 14 Jul 2025, Mark Andrews wrote:
> John you keep stating that everything is working ok. We only have a small percentage of all responses signed, multiple signers are already enforcing the desired behaviour.  There is also no requirement that every key signs every RRset so there isn’t always another RRSIG to try to compare against.  There also isn’t a lot headroom in the system as the percentage of zones being signed increases and with that more verifies per resolution.
> Having trial and error in the protocol is a design error IMHO. We are trying to fix that error.  Yes there is an installed base but that is not a reason to not fix the error.

We're talking past each other.

While I think it would be a fine idea for zone signers to avoid duplicate 
keys, it should be obvious that no matter what we say, there will be 
duplicate keys and resolvers have to defend against it, so nothing will 
get simpler.

As I said to Warren, as operational advice, sure.  But writing MUST and 
expecting things to change in the next decade is silly.

R's,
John