Re: [knot-dns-users] Manual Key Rollover - 2 ZSKs with same key id

However, it is essential to note that the key tag is not a unique identifier. It is theoretically possible for two distinct DNSKEY RRs to have the same owner name, the same algorithm, and the same key tag. The key tag is used to limit the possible candidate keys, but it does not uniquely identify a DNSKEY record. Implementations MUST NOT assume that the key tag uniquely identifies a DNSKEY RR.

Hi Thomas, well, the key tag is a "checksum" of the crypto key material, which is "random", so with a probability of 1/65536, you obtain two different keys with equal key tag. This should be no problem for the operation, you just need to take care and not use key tag for identifying the keys, for example in keymgr. Note that in Knot terminology, this short checksum is called 'key tag', whereas 'key id' is a sha sum which is most probably unique. BR, Libor Dne 03.07.20 v 14:58 Thomas E. napsal(a): > Hi, > > I performed a manual key roll over with this command: > > $ knotc  zone-key-rollover dnssec-test.xxx zsk > > > The result is 2 different ZSK's with the same key id: > > > dnssec-test.xxx.    3600 IN    DNSKEY 256 3 8 ( >                 AwEAAc5W..... >                 ) ; ZSK; alg = RSASHA256; key id = 7030 > > dnssec-test.xxx.    3600 IN    DNSKEY 256 3 8 ( >                 AwEAAc7Q5U...... >                 ) ; ZSK; alg = RSASHA256; key id = 7030 > > > >  From the log: > > 2020-07-03T14:52:59 info: [dnssec-test.xxx.] DNSSEC, key, tag 56464, > algorithm RSASHA256, KSK, public, ready, active+ > 2020-07-03T14:52:59 info: [dnssec-test.xxx.] DNSSEC, key, tag  7030, > algorithm RSASHA256, public > 2020-07-03T14:52:59 info: [dnssec-test.xxx.] DNSSEC, key, tag  7030, > algorithm RSASHA256, public, active > 2020-07-03T14:52:59 info: [dnssec-test.xxx.] DNSSEC, signing started > 2020-07-03T14:52:59 info: [dnssec-test.xxx.] DNSSEC, zone is up-to-date > > > > Is it the indented behavior to have two ZSK's with the same key id? > > > Thanks a lot, > Thomas