To:
ietf-provreg@cafax.se
Cc:
ed.lewis@Neustar.biz
From:
Edward Lewis <Ed.Lewis@Neustar.biz>
Date:
Wed, 28 Oct 2009 14:45:23 -0400
In-Reply-To:
<F06D032B-8447-4468-9152-06FEC6F1EE77@cisco.com>
Sender:
owner-ietf-provreg@cafax.se
Subject:
Re: [ietf-provreg] Anyone working on 4310-bis?
At 22:23 +0100 10/27/09, Patrik Fältström wrote: >Yeah, also just saw this in 4034: > >> The key tag is used to help select DNSKEY resource records >> efficiently, but it does not uniquely identify a single DNSKEY >> resource record. It is possible for two distinct DNSKEY RRs to have >> the same owner name, the same algorithm type, and the same key tag. >> An implementation that uses only the key tag to select a DNSKEY RR >> might select the wrong public key in some circumstances. Please see >> Appendix B for further details. > >Who the heck came up with this? ;-) So Olafur and I are throwing rocks at each other over that question.... The idea of the keytag predates memory, the desire was to have someway to select one of the keys in an RRset. (In DNS, there is no other selector "inside" an RRset.) The reason that the keytag is non-unique is, well, the things it is trying to describe/compress in 16 bits are practically random. You can't compress random data (think about it) without loss. In this case, we lose uniqueness. Perhaps you could hash the key instead ... hey, that's what the DS record does! The mistake here is using the keytag and not the DS hash as the selector. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 As with IPv6, the problem with the deployment of frictionless surfaces is that they're not getting traction. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- List run by majordomo software. For (Un-)subscription and similar details send "help" to ietf-provreg-request@cafax.se