Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timing-03.txt until 2012-09-14
Andrew Sullivan <ajs@anvilwalrusden.com> Fri, 07 September 2012 19:32 UTC
Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD79B21E80C0 for <dnsop@ietfa.amsl.com>; Fri, 7 Sep 2012 12:32:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.69
X-Spam-Level:
X-Spam-Status: No, score=-0.69 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, HELO_MISMATCH_INFO=1.448, HOST_MISMATCH_NET=0.311, SARE_WEOFFER=0.3]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kAP4RSXYDmo8 for <dnsop@ietfa.amsl.com>; Fri, 7 Sep 2012 12:32:13 -0700 (PDT)
Received: from mx1.yitter.info (ow5p.x.rootbsd.net [208.79.81.114]) by ietfa.amsl.com (Postfix) with ESMTP id 5C55921E809C for <dnsop@ietf.org>; Fri, 7 Sep 2012 12:32:13 -0700 (PDT)
Received: from mx1.yitter.info (nat-05-mht.dyndns.com [216.146.45.244]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.yitter.info (Postfix) with ESMTPSA id EF8618A031 for <dnsop@ietf.org>; Fri, 7 Sep 2012 19:32:12 +0000 (UTC)
Date: Fri, 07 Sep 2012 15:32:10 -0400
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsop@ietf.org
Message-ID: <20120907193210.GH16938@mx1.yitter.info>
References: <20120823214924.GL30725@x28.adm.denic.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20120823214924.GL30725@x28.adm.denic.de>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timing-03.txt until 2012-09-14
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Sep 2012 19:32:14 -0000
Dear colleagues, On Thu, Aug 23, 2012 at 11:49:24PM +0200, Peter Koch wrote: > Dear DNSOP WG, > > this is to initiate a working group last call (WGLC) for > > "DNSSEC Key Timing Considerations" > draft-ietf-dnsop-dnssec-key-timing-03.txt > <http://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-key-timing/> > I have read draft-ietf-dnsop-dnssec-key-timing-03. I have some comments. I'll send additional comments containing nits to the draft editors. On the whole, I think the draft is a little complicated for operators to follow easily. I nevertheless think we should publish it: we offer today _no_ guidance to operators on these matters, and people I work with, at least, want such guidance. I know there's another draft floating about, but if we take as long to reach agreement on that draft as we took to review this one, we'll never publish anything. In section 1.2, it would be helpful to observe that, as a matter of deployment, the KSK might also be the ZSK. I'm aware that the document is assuming a sharp distinction, but by noting they could be the same key and leaving the working out of the implications for the reader, the document will be made more useful. Section 1.4 includes the RFC 2119 language, but in some places I notice "must" (in lower case) used. I find this a little hard to work with, and I know that at least one AD is quite exercised about this issue, so I think someone needs to go through the document and restate such uses. I also find it mystifying why some but not all of the definitions are moved to an appendix, although I don't really care about this. Section 3.1 has this definition: Published The DNSKEY record - or information associated with it - is published in the zone, but predecessors of the key (or associated information) may be held in caches. I think this isn't quite right, because the predecessors of the key (i.e. other keys) might also be Published, no? It's predecessors of the relevant RRsets that might still be in caches, I think, no? In section 3.2.2, the text, "The successor is key is now active and the current key is said to be retired," is a little strange (it's odd that the "current key" is the retired one and the "successor key" is active). I understand the text given the context, but I wonder whether this would be better phrased in terms of Key N and Key N+1. It took me a minute to understand Section 3.2.3, Event 4. Perhaps it could be clarified this way: There is now a delay while RRSIGs that were only generated using Key N expire from caches. This interval is given by the expression: Dprp + TTLsig After that interval, all caches that have any RRSIG will have the RRSIGs generated by both Key N and Key N-1. Or something like that? Best regards, Andrew -- Andrew Sullivan ajs@anvilwalrusden.com
- [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timing-0… Peter Koch
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Edward Lewis
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Matthijs Mekking
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Johan Ihrén
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Matthijs Mekking
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Tony Finch
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Yuri Schaeffer
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Matthijs Mekking
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Andrew Sullivan
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Matthijs Mekking
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Olafur Gudmundsson
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Tony Finch
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Tony Finch
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Peter Koch