On 15/02/2018 01:36, Geoff Huston wrote:
On 15 Feb 2018, at 8:35 am, Paul Hoffman <paul.hoffman@icann.org> wrote:
On Feb 14, 2018, at 12:40 PM, Warren Kumari <warren@kumari.net> wrote:
I think that it would be a useful addition to the script to ensure that, when a new KSK is generated, it does not have the same Key ID as any previous KSKs. If is *does* have the same Key ID, it should be discarded and a new one generated.
As someone who has to write tools to deal with ICANN's trust anchors, I give this proposal two thumbs up.
Warren has done well to point this out, and yes, its a small but important aspect of the key generation process
I raised the issue of keyid collission also once at the mic, and from what I remember someone (from ICANN?) mentioned that at any time a (new) unique keyid will be generated. But I fully agree it is important to explicitly mention this in the key generation procedure (ceremony/protocol). Cheers, -- Benno -- Benno J. Overeinder NLnet Labs https://www.nlnetlabs.nl/