[dns-operations] [Ext] real world keytag collision example
Mark Andrews
marka at isc.org
Thu Jan 17 19:39:49 UTC 2019
> On 18 Jan 2019, at 6:08 am, Edward Lewis <edward.lewis at icann.org> wrote:
>
> On 1/17/19, 12:43, "dns-operations on behalf of Wessels, Duane" <dns-operations-bounces at dns-oarc.net on behalf of dwessels at verisign.com> wrote:
>
>> .HYUNDAI has a KSK and a ZSK that have the same keytag (17755).
>
> Yep, I see this in my collections:
>
> TLD RECORD FIRST SEEN LAST SEEN KEYID ALGORITHM LEN EXP'T TTL
> HYUNDAI. DNSKEY-SEP 2018-12-05 2019-01-16 17755 RSA-SHA256 2048 large 1d
> HYUNDAI. DNSKEY-ZONE 2018-12-19 2019-01-16 17755 RSA-SHA256 1024 large 1d
>
> Same alg, different roles (flags), different lengths, same Key ID.
>
> "It was a million to one shot, Doc. Million to one." : Cosmo Kramer
> (https://www.imdb.com/title/tt0098904/quotes/qt0417369)
>
> Or is that "a million to one" shot?
Or should that be a 65536 to 1 shot?
Keyid has always been a optimisation so validators can find the right key to
check a RRSIG without have to test every key. The developers of the key manager
for that zone should have known better even if all the rest of the software in
the world copes correctly.
Mark
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list