[dns-operations] a maximum of about 16K possible DNSSEC keytags?

Tony Finch dot at dotat.at
Wed Dec 2 16:34:54 UTC 2015

Florian Maury <florian.maury at ssi.gouv.fr> wrote:

Thanks for the informative post!

> Replacing the keytag computation function by another hashing function
> should be possible, as this value is opaque, but it is probably not
> worth the effort.

It isn't opaque: a validator needs to know the keytag algorithm to
efficiently match RRSIG and DS records to DNSKEY records.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Trafalgar: Mainly southerly 5 or 6, decreasing 4 at times. Moderate or rough.
Mainly fair. Good.

More information about the dns-operations mailing list