DNSSEC will eventually generate Identical Key ID's

Anand Buddhdev anandb at ripe.net
Sun Sep 9 18:30:10 UTC 2018

On 09/09/2018 19:51, Mark Elkins wrote:

> Never assume a KeyID is unique.  :-)

One of the DNSSEC RFCs specifically says that the KeyID is not meant to
be unique. I can't remember which one, and it's too late on a Sunday
evening to be reading RFCs :)

Even then, I've had the misfortune of dealing with a vendor whose
developers didn't read the RFCs properly, and designed their key store
using the key IDs as indexes. So one fine day, we had a zone signed with
one key, but the DS record came from another key. Boom. Yuck. What a
mess it was to sort out!


More information about the bind-users mailing list