DNSSEC will eventually generate Identical Key ID's
warren at kumari.net
Mon Sep 10 13:47:20 UTC 2018
On Sun, Sep 9, 2018 at 2:30 PM Anand Buddhdev <anandb at ripe.net> wrote:
> On 09/09/2018 19:51, Mark Elkins wrote:
> > Never assume a KeyID is unique. :-)
> One of the DNSSEC RFCs specifically says that the KeyID is not meant to
> be unique. I can't remember which one, and it's too late on a Sunday
> evening to be reading RFCs :)
You are thinking of RFC4034, Section 8. Security Considerations:
The key tag is used to help select DNSKEY resource records
efficiently, but it does not uniquely identify a single DNSKEY
resource record. It is possible for two distinct DNSKEY RRs to have
the same owner name, the same algorithm type, and the same key tag.
An implementation that uses only the key tag to select a DNSKEY RR
might select the wrong public key in some circumstances. Please see
Appendix B for further details.
> Even then, I've had the misfortune of dealing with a vendor whose
> developers didn't read the RFCs properly, and designed their key store
> using the key IDs as indexes. So one fine day, we had a zone signed with
> one key, but the DS record came from another key. Boom. Yuck. What a
> mess it was to sort out!
Oooh, that sounds like fun to debug....
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users