[dns-operations] [Ext] Re: Checking for signatures of a certain DNSKEY within a zone

Edward Lewis edward.lewis at icann.org
Wed Jul 14 13:59:22 UTC 2021

On 7/6/21, 12:15 PM, "dns-operations on behalf of Tony Finch" <dns-operations-bounces at dns-oarc.net on behalf of dot at dotat.at> wrote:

>    If it is one of your zones then your key management software should ensure
>    that all the key IDs are different, i.e. if there is an ID collision when
>    generating a key, throw it away and regenerate it. This is important for
>    verification performance (and, I would guess, less risk of encountering
>    bugs).

FWIW, I've seen one (emphasize just one) example of concurrent, active, colliding key tags among the TLDs over the past 10 years.  When it happened, it seemed to persist for a month, with the operator rolling one of the keys.  This happened in 2018, I didn't notice it until last month while trolling through historical data, so I bet there was never any interruption.

The protocol ought not be fooled by it, but you can never tell about the quality of a validator.  I.e., such code may not realize that asking for a key tag out of a DNSKEY set might need to be a list and not a single value.

This started out as a convention, key generation tools would not produce a key that key-tag-collided, but as with any other tool or environment, it might occur.

Where I ran across the issue is in some analytical code I'm working on, a collision might foul up other monitoring and visualization code, but it should not be operationally impacting.

More information about the dns-operations mailing list