[DNSOP] Re: [Ext] Re: Collision Free Key Tags for DNSSEC draft
Philip Homburg <pch-dnsop-6@u-1.phicoh.com> Tue, 22 July 2025 17:02 UTC
Return-Path: <pch-b6CAFA0C7@u-1.phicoh.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 9755648B3BC7 for <dnsop@mail2.ietf.org>; Tue, 22 Jul 2025 10:02:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iTxlgU8opFez for <dnsop@mail2.ietf.org>; Tue, 22 Jul 2025 10:02:24 -0700 (PDT)
Received: from stereo.hq.phicoh.net (stereo.hq.phicoh.net [45.83.6.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id C4ED148B3BB3 for <dnsop@ietf.org>; Tue, 22 Jul 2025 10:02:23 -0700 (PDT)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (TLS version=TLSv1.2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305) (Smail #158) id m1ueGNi-0000NWC; Tue, 22 Jul 2025 19:02:22 +0200
Message-Id: <m1ueGNi-0000NWC@stereo.hq.phicoh.net>
To: dnsop@ietf.org
From: Philip Homburg <pch-dnsop-6@u-1.phicoh.com>
Sender: pch-b6CAFA0C7@u-1.phicoh.com
References: <d279f933-f00c-0392-80e2-0c6928b50af3@taugh.com> <C1251C46-3646-4885-A465-BFAF2BE23334@isc.org> <79638578-1dfc-d48c-9341-46cbde9e7feb@taugh.com> <CAHw9_iK+6xwATjbRs_9ZMNmbiX_SRxHpzbwG3SCN53BmPdqCMg@mail.gmail.com> <F5F9D9E2-90DD-40B1-824B-57C4380DDA67@icann.org> <m1ubcE5-0000NuC@stereo.hq.phicoh.net> <8c4b4f9c-8c8c-7a2d-f2da-9aff895e40f1@nohats.ca> <90464e4c-e5aa-4ac6-b4ff-a5fdac8c6c14@nic.cz> <20250717100850.D810CD3A7716@ary.local> <1be57a05-8719-424d-95ad-1bf557eff053@isc.org> <20250722134129.AEBFFD42229F@dhcp-81ff.meeting.ietf.org> <m1ueFeN-0000OSC@stereo.hq.phicoh.net> <fe34a4ac-895b-6f0b-0385-3a2a4b068e7c@taugh.com>
In-reply-to: Your message of "22 Jul 2025 18:24:11 +0200 ." <fe34a4ac-895b-6f0b-0385-3a2a4b068e7c@taugh.com>
Date: Tue, 22 Jul 2025 19:02:22 +0200
Message-ID-Hash: YNDLS23GBNY64GEHA34HMJOPPNTMDPLP
X-Message-ID-Hash: YNDLS23GBNY64GEHA34HMJOPPNTMDPLP
X-MailFrom: pch-b6CAFA0C7@u-1.phicoh.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: John R Levine <johnl@taugh.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Re: Collision Free Key Tags for DNSSEC draft
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/p22Guohuo4A0nF7eAlSf_LDNglo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
In your letter dated 22 Jul 2025 18:24:11 +0200 you wrote: >On Tue, 22 Jul 2025, Philip Homburg wrote: >> I'm not aware of any part of the DNSSEC standards, key rolls, operational >> practice, etc. that leads to invalid RRSIGs. > >You could have TTL issues so that a DNSKEY expires before all of its >RRSIGs, but that seems easier to fix than tag collisions. We have to be a bit careful how to define a bad RRSIG. The problematic RRSIG is one where the algorithm and key tag matches a key in the DNSKEY RRset but the RRSIG is not a valid signature using that key over the RRset it covers. RRSIGs that have an algorithm and key tag that doesn't match any key in the DNSKEY RRset are normal (for example during a a double signature ZSK roll). So if the DNSKEY RRset expires before the RRSIG then I think that would create an issue in the second category, which is not a problem from a validation point of view.
- [DNSOP] Collision Free Key Tags for DNSSEC draft Shumon Huque
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Peter Thomassen
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Libor Peltan
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Paul Wouters
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Yorgos Thessalonikefs
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Libor Peltan
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Jim Reid
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Ted Lemon
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Ted Lemon
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Jim Reid
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Peter Thomassen
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Steve Crocker
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Steve Crocker
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Warren Kumari
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Warren Kumari
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Ralf Weber
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Paul Hoffman
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Paul Wouters
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… John Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Paul Wouters
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Libor Peltan
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… John Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Petr Špaček
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… John Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… John R Levine
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Mark Andrews
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Shumon Huque
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Petr Špaček
- [DNSOP] Re: [Ext] Collision Free Key Tags for DNS… Paul Hoffman
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Ondřej Surý
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Yorgos Thessalonikefs
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Paul Wouters
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Paul Hoffman
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Paul Hoffman
- [DNSOP] Re: [Ext] Re: Collision Free Key Tags for… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Paul Wouters
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Ondřej Surý
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Ted Lemon
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Libor Peltan
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Mark Andrews
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Joe Abley
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Paul Wouters
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Miek Gieben
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Petr Špaček
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Peter Thomassen
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Peter Thomassen
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Libor Peltan
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Johan Stenstam
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Philip Homburg
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… Libor Peltan
- [DNSOP] Re: Collision Free Key Tags for DNSSEC dr… John R Levine