DNSSEC will eventually generate Identical Key ID's
Tony Finch
dot at dotat.at
Mon Sep 10 11:32:54 UTC 2018
Mark Elkins <mje at posix.co.za> wrote:
> Never assume a KeyID is unique. :-)
Good tools ensure that key IDs are unique per zone. For example, if you
keep generating keys for a zone with `dnssec-keygen` it will eventually
get into an infinite loop perpetually generating colliding keys!
Apart from the footgun that Anand described, the reason for keeping key
IDs unique per zone is so that a validator can quickly skip keys that
can't possibly match an RRSIG or DS record.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Tyne, Dogger, Fisher: Southwest 5 to 7. Slight or moderate in Tyne, otherwise
moderate or rough. Showers then rain. Good, occasionally poor.
More information about the bind-users
mailing list