[dns-operations] a maximum of about 16K possible DNSSEC keytags?
Tony Finch
dot at dotat.at
Wed Dec 2 16:34:54 UTC 2015
Florian Maury <florian.maury at ssi.gouv.fr> wrote:
>
Thanks for the informative post!
> Replacing the keytag computation function by another hashing function
> should be possible, as this value is opaque, but it is probably not
> worth the effort.
It isn't opaque: a validator needs to know the keytag algorithm to
efficiently match RRSIG and DS records to DNSKEY records.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Trafalgar: Mainly southerly 5 or 6, decreasing 4 at times. Moderate or rough.
Mainly fair. Good.
More information about the dns-operations
mailing list