[dns-operations] [Ext] Re: Checking for signatures of a certain DNSKEY within a zone
edward.lewis at icann.org
Wed Jul 14 13:59:22 UTC 2021
On 7/6/21, 12:15 PM, "dns-operations on behalf of Tony Finch" <dns-operations-bounces at dns-oarc.net on behalf of dot at dotat.at> wrote:
> If it is one of your zones then your key management software should ensure
> that all the key IDs are different, i.e. if there is an ID collision when
> generating a key, throw it away and regenerate it. This is important for
> verification performance (and, I would guess, less risk of encountering
FWIW, I've seen one (emphasize just one) example of concurrent, active, colliding key tags among the TLDs over the past 10 years. When it happened, it seemed to persist for a month, with the operator rolling one of the keys. This happened in 2018, I didn't notice it until last month while trolling through historical data, so I bet there was never any interruption.
The protocol ought not be fooled by it, but you can never tell about the quality of a validator. I.e., such code may not realize that asking for a key tag out of a DNSKEY set might need to be a list and not a single value.
This started out as a convention, key generation tools would not produce a key that key-tag-collided, but as with any other tool or environment, it might occur.
Where I ran across the issue is in some analytical code I'm working on, a collision might foul up other monitoring and visualization code, but it should not be operationally impacting.
More information about the dns-operations