[DNSOP] Re: Collision Free Key Tags for DNSSEC draft
Yorgos Thessalonikefs <yorgos@nlnetlabs.nl> Tue, 08 July 2025 15:21 UTC
Return-Path: <yorgos@nlnetlabs.nl>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 161AC416AF54 for <dnsop@mail2.ietf.org>; Tue, 8 Jul 2025 08:21:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.801
X-Spam-Level:
X-Spam-Status: No, score=-2.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JdtC3pWRSIeA for <dnsop@mail2.ietf.org>; Tue, 8 Jul 2025 08:21:11 -0700 (PDT)
Received: from mout-b-110.mailbox.org (mout-b-110.mailbox.org [IPv6:2001:67c:2050:102:465::110]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 7C8814168227 for <dnsop@ietf.org>; Tue, 8 Jul 2025 08:16:22 -0700 (PDT)
Received: from smtp102.mailbox.org (smtp102.mailbox.org [IPv6:2001:67c:2050:b231:465::102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-110.mailbox.org (Postfix) with ESMTPS id 4bc4Sf5LWVz9xr9 for <dnsop@ietf.org>; Tue, 8 Jul 2025 17:16:18 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nlnetlabs.nl; s=MBO0001; t=1751987778; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=x7MVn7Ype+GHA16PTFioT+9bpvXAdsOoItLfm9N1U50=; b=lfcn+X4Po+3R6S+GQRgM1CnfgYYA9LOECWgEvE5DOOiQ3qQ8gJvxkeASIczcnTPZWChjbX T+vCWbpCbYPM524tnypyv4+CnaQlhBnbq6Y2fyUdo2PbV2lLH314HPj+CKhTGU8rGt4INC AK2x68MbdZ8gK2aFiT+hPAXFjXeJ8E2mPl+shJZA1jhb4wMMxNu7Uo/g3xPrkhLWNxIT1i AQfmYvESfikUzK5Gw8z/p8G2M4SfVbuZ1b6Mqu5Udmhf2oH3epzTcWxYnbMnFQt80aojoY wMv2n9l1fQ1vN65QBygXBB7xvuEdwccYDLomKz+lD9osem5hGLnndc/9t3IDgQ==
Authentication-Results: outgoing_mbo_mout; dkim=none; spf=pass (outgoing_mbo_mout: domain of yorgos@nlnetlabs.nl designates 2001:67c:2050:b231:465::102 as permitted sender) smtp.mailfrom=yorgos@nlnetlabs.nl
Message-ID: <a6aed8f2-51c7-4662-be8c-a5ff6ac8f5a1@nlnetlabs.nl>
Date: Tue, 08 Jul 2025 17:16:17 +0200
MIME-Version: 1.0
To: dnsop@ietf.org
References: <0c4715d1-cd1b-4726-a372-6ac3c26af786@nic.cz> <45260BA6-B4C0-4A2C-8E69-51D72C833C1F@nohats.ca> <b5674176-304a-e96e-22d4-d2a3818a1195@taugh.com>
Content-Language: en-GB
From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
Autocrypt: addr=yorgos@nlnetlabs.nl; keydata= xsFNBFfYHeYBEAC/8SdeXNspt9ZIoZRSL9juNLHA17TXcHdKSthgWBtwwWZbUPq8SJr7Y+hr 6jMCDKY9800QzLF0nLkyXnZgaBcvR0rRbCT/qvALJ0fpfjcotapZ1hBvomb9s8Bo28uKn8tb TMXYNsElUae4Ch/CrU1vfe50YoyQgLR8UBa15gV+2RmC+6jIqxDYS8sylWlDn6Qim+77feLl ObPnNdzgfWGZo14eJByTsz0qrh8aS/BS1FAsnEQ6W6AqukhpuKuWvoAUXKjfguXQolxeexub mKaLcGOTvecw+cbh/a5SPHRtRVr9qTxpelk6UEpakY5K9UtZkrG55VWih/4KqY9bNyhJBtpA k1fXA+mYfx5BcFpECYdU9kz4UgV5jK0HYRHQTLC91PPVQgH86we+Aae6TaJneCLEIzBK36Tg AP8RKrvFfPUym5OPYbWOom27QTKfRVcyxPKglJxrTSWixnKWS/pqxNY8hF9Ne4crRAF4wX2y BVbGnjNrS9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS 2YL3/KUsRLBapUpPQjzChwzdr/vzFEhk9XxK2VGMN+dh2HjYwDFendc5csyt/cVrg3LssVS2 bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQABzStZb3Jnb3MgVGhl c3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+wsGXBBMBCABBAhsjBQsJCAcCBhUI CQoLAgQWAgMBAh4BAheAAhkBFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmbz0CwFCRD85cYA CgkQz/M0TZCHpJBVnhAAkcd79Twxj/ttC4q2Xpq75+Ew6YR9gLqYiV5vEd6fu0oyhuVoUlfT kjH4ALIoGIKaO9yAVUXsrGrsn1aJPo1Mw3q6mIwtQOxXz/W44LuFzcvZkHtCYX4YyLrUHXZP vl+r4eYkTOcyyQMUBmbuvWhufv8MBilvWltQLxfLlgihbfuIrxqjAYDhqCffpgUiZyCut2rr enIgeh1fDvC+GjZ3cfb1UsIpzm19yr4NCiTHkLkCOAAcAUFwWWeO/jfUsSvFQEHUnYNRREzI Lth9NlKwPtsOVi+wcNnWQtFQb11BMr407xBib7hLSIFiqvOiYgQABjZdWN+snCRPZZSruigj E9ateOloJwmBqrSJLAywxvDE0ivqfSj51W5eJc/JLSXvjrOuW28dJCr8RV9PjC9X7zuTiFLz V8SVH71Z43Rix8n7AOp3wgRe3SygEyQXPj4qbm5HHVsx9GEAzn495L99dJ4wZgjkbEsGhzwU x7N9FHEGS/sz3LiEq+ZYckR6gzTMMrQJgbsS9lnK9xlXsp37uIYvx9W9JZXtS+AZhw0q3osM YBF68HPX8B9GBYlkQWmWSIMfzRYcD2n15+XsfERK4mxcTWl2sCYpt8Sy3tADj9nQDabAlGUd /hlFS1dvDVQjGh6ER5S0nZjYnmRsLl8nOTKhb2xY+2p1sDjxxQYJJQfOwU0EV9gd5gEQALaH 3KNJ7ZKC1wHQf4TSd1p7BplpAITur5E7jd2i0Yf14WdXATj9+1wrVI3jaKGUXk6dNoo/Je+B DpTxbxUHx4uN5PAD91Je4lfuQmkQryxo+ok/rNNSY+qn8ZLNLpiuEot+kWfhyGbLCkMVwY0z PSxheImA+oovtbQq4b7OI9OgB5aXxyR5fKXvv+UdWFZjKVpAkQBKSWoJWI9dKn28jv/ntQSb gxA9fCwME7C5VWpxK7dkzky1j1eVtU80JiZkgyqaHweBjBuKr11N8mL7q/Xv64NAZl7BYr9b AUz710PHtiRN44GJR25i0k9brg1b9EnumyRssDL45kClNlaDRwhI3oY6Y83cXQCJbNSO9IxE QeEUfLGPhjXm+4M4W88YXGvjEGLIxfUksIoro4WfI9+gn2/+jdSCtCAut9cKYp2+TAEKAm83 cWzHOFroO1/pFxnTZ+vtIJlmF0GuWt+W8LW5ZnSDcDzuyzuHgjDeeOU7dpfoGj1HhU4tSSJE qLiGZAHE+9fEjYRGYpGiajqWsxoMzMiMPgA9IzW9R9mC7NDFVikzyXDLUI56rGyPmn4sfp/8 RT7h1dnCignW5qcE68bae2fPxISsT57vA1gThr99vzFgziPunqpi2c1k9vyyPxu/HyJZengD VyxV63JVJyEGFNVCGE2izqi5ilziJutjABEBAAHCwXwEGAEIACYCGwwWIQSUjrQjIsXQC3k0 D13P8zRNkIekkAUCZvPR1QUJEPznbwAKCRDP8zRNkIekkDuGD/sGHSNvueunYS5TgFYrnlUb 7fNuvJ7810PLp6jexVU447Wv6MEygkrebUAZZTHjSiBmNGfwYy0l/GQvrCx6nY/vvmyabvHV MfqzZ2Ct5OP0nrqCK0oSDEXS2OgnO2YYnxgpIYTjAqLfsq+9KoKbV5wDxqQHMlWjQHz8a1em D7L+rf8pJjW6NbsiG7frQldPUVFc6Jh+vNQogGbz9RWe/uC4+51ol/R5Thu2jLhjDOfVRfKL wF3E8hCtANG23r199yNfwEgSWgrsVREut78uFtXGWyx1ZggQVCEiVv6eCFmVRtYd/RR7cvRI UVLFXmi3NAvZaMkq0KdOlKilJSbBjJPvDIAvVGiQ56ZcvjtY5+IuOIa5L4r/iVPtUdJ90uxi KdLQtivl2aFzTmz/+QvJDQ5Io2HdI0A36Uz+SUsT+kXAziajnoL6x40S8KaxPndU847CnonC wspKqbym7V9tWNPqVoxz0E+LopSM39/tlqEJc1c6sDa4udOXHD+ezWw5dJZkNZyJl4veQl5R ARHlhnn2HMthYCIn7kpuVZGUExdvvUVSnQyH1Xd0Dk4FfciVwXnioTnRyEbMud9B/Vgu6HXf HHFzZax0xmOIKPwJUMyQPp6RKF9AryfJCwpImB1dyfDULFwBW+xE615xSIP4NaslxgTGNJn7 Nwjj5pGGnu423w==
In-Reply-To: <b5674176-304a-e96e-22d4-d2a3818a1195@taugh.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 4bc4Sf5LWVz9xr9
Message-ID-Hash: FQ32WIOQBUABXTV2WIKENTUXPGZTIQE5
X-Message-ID-Hash: FQ32WIOQBUABXTV2WIKENTUXPGZTIQE5
X-MailFrom: yorgos@nlnetlabs.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Collision Free Key Tags for DNSSEC draft
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/hf-_dB7PBHwB5jZbDpQv00IFSrE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
On 08/07/2025 16:23, John R Levine wrote: > On Tue, 8 Jul 2025, Paul Wouters wrote: >> A better solution would be for resolvers to detect when they are under >> keytag DoS, and then take counter measures - not for the protocol to >> be changed and made more complicated. > > Exactly. Malicious (or I suppose buggy) signers can publish colliding > keytags, so resolvers have to defend against it. Changing the spec > won't change that. > This is part of computational attacks and resolvers currently defend against it in various ways. Various ways that could give resolution inconsistencies between implementations (I am not considering the actual attack scenario because noone cares about that resolution). That is why this draft could give definitive advice on how to deal with key collisions IMHO. Best regards, -- Yorgos
- [DNSOP] Collision Free Key Tags for DNSSEC draft Shumon Huque
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Peter Thomassen
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Libor Peltan
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Paul Wouters
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Yorgos Thessalonikefs
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Libor Peltan
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Jim Reid
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Ted Lemon
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Ted Lemon
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Jim Reid
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Peter Thomassen
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Steve Crocker
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Steve Crocker
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Warren Kumari
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Warren Kumari
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Ralf Weber
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Paul Hoffman
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Paul Wouters
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… John Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Paul Wouters
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Libor Peltan
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… John Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Petr Špaček
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… John Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… John R Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Mark Andrews
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Shumon Huque
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Petr Špaček
- [DNSOP] Re: [Ext] Collision Free Key Tags for DNS… Paul Hoffman
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Ondřej Surý
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Yorgos Thessalonikefs
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Paul Wouters
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Paul Hoffman
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Paul Hoffman
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Paul Wouters
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Ondřej Surý
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Ted Lemon
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Libor Peltan
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Joe Abley
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Paul Wouters
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Miek Gieben
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Peter Thomassen
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Peter Thomassen
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Libor Peltan
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Johan Stenstam
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Libor Peltan
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine