Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timing-03.txt until 2012-09-14
Andrew Sullivan <ajs@anvilwalrusden.com> Fri, 07 September 2012 19:32 UTC
Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD79B21E80C0 for <dnsop@ietfa.amsl.com>; Fri, 7 Sep 2012 12:32:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.69
X-Spam-Level:
X-Spam-Status: No, score=-0.69 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, HELO_MISMATCH_INFO=1.448, HOST_MISMATCH_NET=0.311, SARE_WEOFFER=0.3]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kAP4RSXYDmo8 for <dnsop@ietfa.amsl.com>; Fri, 7 Sep 2012 12:32:13 -0700 (PDT)
Received: from mx1.yitter.info (ow5p.x.rootbsd.net [208.79.81.114]) by ietfa.amsl.com (Postfix) with ESMTP id 5C55921E809C for <dnsop@ietf.org>; Fri, 7 Sep 2012 12:32:13 -0700 (PDT)
Received: from mx1.yitter.info (nat-05-mht.dyndns.com [216.146.45.244]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.yitter.info (Postfix) with ESMTPSA id EF8618A031 for <dnsop@ietf.org>; Fri, 7 Sep 2012 19:32:12 +0000 (UTC)
Date: Fri, 07 Sep 2012 15:32:10 -0400
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsop@ietf.org
Message-ID: <20120907193210.GH16938@mx1.yitter.info>
References: <20120823214924.GL30725@x28.adm.denic.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20120823214924.GL30725@x28.adm.denic.de>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timing-03.txt until 2012-09-14
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Sep 2012 19:32:14 -0000
Dear colleagues,
On Thu, Aug 23, 2012 at 11:49:24PM +0200, Peter Koch wrote:
> Dear DNSOP WG,
>
> this is to initiate a working group last call (WGLC) for
>
> "DNSSEC Key Timing Considerations"
> draft-ietf-dnsop-dnssec-key-timing-03.txt
> <http://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-key-timing/>
>
I have read draft-ietf-dnsop-dnssec-key-timing-03. I have some
comments. I'll send additional comments containing nits to the draft
editors.
On the whole, I think the draft is a little complicated for operators
to follow easily. I nevertheless think we should publish it: we offer
today _no_ guidance to operators on these matters, and people I work
with, at least, want such guidance. I know there's another draft
floating about, but if we take as long to reach agreement on that
draft as we took to review this one, we'll never publish anything.
In section 1.2, it would be helpful to observe that, as a matter of
deployment, the KSK might also be the ZSK. I'm aware that the
document is assuming a sharp distinction, but by noting they could be
the same key and leaving the working out of the implications for the
reader, the document will be made more useful.
Section 1.4 includes the RFC 2119 language, but in some places I
notice "must" (in lower case) used. I find this a little hard to work
with, and I know that at least one AD is quite exercised about this
issue, so I think someone needs to go through the document and restate
such uses. I also find it mystifying why some but not all of the
definitions are moved to an appendix, although I don't really care
about this.
Section 3.1 has this definition:
Published The DNSKEY record - or information associated with it -
is published in the zone, but predecessors of the key (or
associated information) may be held in caches.
I think this isn't quite right, because the predecessors of the key
(i.e. other keys) might also be Published, no? It's predecessors of
the relevant RRsets that might still be in caches, I think, no?
In section 3.2.2, the text, "The successor is key is now active and
the current key is said to be retired," is a little strange (it's odd
that the "current key" is the retired one and the "successor key" is
active). I understand the text given the context, but I wonder whether
this would be better phrased in terms of Key N and Key N+1.
It took me a minute to understand Section 3.2.3, Event 4. Perhaps it
could be clarified this way:
There is now a delay while RRSIGs that were only generated using
Key N expire from caches. This interval is given by the expression:
Dprp + TTLsig
After that interval, all caches that have any RRSIG will have the
RRSIGs generated by both Key N and Key N-1.
Or something like that?
Best regards,
Andrew
--
Andrew Sullivan
ajs@anvilwalrusden.com
- [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timing-0… Peter Koch
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Edward Lewis
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Matthijs Mekking
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Johan Ihrén
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Matthijs Mekking
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Tony Finch
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Yuri Schaeffer
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Matthijs Mekking
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Andrew Sullivan
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Matthijs Mekking
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Olafur Gudmundsson
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Tony Finch
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Tony Finch
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Peter Koch