DNSSEC will eventually generate Identical Key ID's

Ray Bellis ray at isc.org
Mon Sep 10 08:45:08 UTC 2018

On 09/09/2018 18:51, Mark Elkins wrote:
> Just for the record, although I do look from a curiosity point of view
> for Identical Key ID's once every few month - I've never seen them -
> until now.
> Now I have them - generated by BIND within a few days of each other...
> I've been running DNSSEC for 7 years and have around 400 DNSSEC keys for
> 133 signed Domains.
> I'm a smallish Registrar for ZA domains.
> Never assume a KeyID is unique.  :-)

It's inevitable that they won't be.

With only a 16 bit key tag space (and in 2016 Roy Arends discovered that
the effective space is only 15 bits) then due to the birthday collision
paradox you only need of the order of sqrt(32k) different keys to get a
50% chance of a collision.


More information about the bind-users mailing list