[dns-operations] [Ext] Re: .RU zone failed ZSK rotation

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Feb 8 15:34:03 UTC 2024

On Thu, Feb 08, 2024 at 12:24:08PM +0000, Edward Lewis wrote:

> Between non-unique key tags and the possibility of hash collisions,
> it's possible two DS resource records could share either a key  tag or
> a hash representing different keys.  From this, I wish we hadn't
> defined the key tag field - and maybe stuck with the entire key in the
> DS resource record.  Over the long term, ... I see things differently.

Collisions in SHA2-256 (with SHA1 in DS records being deprecated for
some time now), would be major news indeed.  There's not even a hint of
such collisions being found in the next few decades.  SHA1 collisions
are of course a possibility, but require considerable computing
resources and don't just happen "at random" (as is the case with key

There is no issue with DS record confusion.  And even if two keys
produced the same DS record, that'd be fine too, just publish one DS
record in support of both!  The only theoretical risk is erroneously
publishing two identical RRs in the DS RRset, which is not allowed,
and validators may balk...  In practice, this won't happen.


More information about the dns-operations mailing list