DNSSEC will eventually generate Identical Key ID's

Tony Finch dot at dotat.at
Mon Sep 10 11:32:54 UTC 2018

Mark Elkins <mje at posix.co.za> wrote:

> Never assume a KeyID is unique.  :-)

Good tools ensure that key IDs are unique per zone. For example, if you
keep generating keys for a zone with `dnssec-keygen` it will eventually
get into an infinite loop perpetually generating colliding keys!

Apart from the footgun that Anand described, the reason for keeping key
IDs unique per zone is so that a validator can quickly skip keys that
can't possibly match an RRSIG or DS record.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Tyne, Dogger, Fisher: Southwest 5 to 7. Slight or moderate in Tyne, otherwise
moderate or rough. Showers then rain. Good, occasionally poor.

More information about the bind-users mailing list