Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timing-03.txt until 2012-09-14
Matthijs Mekking <matthijs@nlnetlabs.nl> Mon, 10 September 2012 08:19 UTC
Return-Path: <matthijs@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C052B21F84CD for <dnsop@ietfa.amsl.com>; Mon, 10 Sep 2012 01:19:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.449
X-Spam-Level:
X-Spam-Status: No, score=-102.449 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, SARE_WEOFFER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jQizoSDV2q7j for <dnsop@ietfa.amsl.com>; Mon, 10 Sep 2012 01:19:25 -0700 (PDT)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id CFC9021F8518 for <dnsop@ietf.org>; Mon, 10 Sep 2012 01:19:23 -0700 (PDT)
Received: from [213.154.224.18] (zoidberg.nlnetlabs.nl [213.154.224.18]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.5/8.14.4) with ESMTP id q8A8JDkK003104 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Mon, 10 Sep 2012 10:19:14 +0200 (CEST) (envelope-from matthijs@nlnetlabs.nl)
X-DKIM: OpenDKIM Filter v2.6.7 open.nlnetlabs.nl q8A8JDkK003104
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1347265155; bh=MFPfcg3UurIokvMx2tk9rbLzfEeDPBAWb5+RcQWtrgM=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=aogoJ1bxg+WJrtjsbJgRJUwenBSK4+hgvtFPk32KWzGhB/TCtN3Y1fUnS/Y8OPjIe /Elzw07c4dBEE6/CWDr8XK9j3Z1Oi1WmlYo6M9qhH6fqJ5oZYgJkdl8FO1/28KEDPW jOGnrCU/z6S/MAe0wJdt4oSZYzFSlT6c0RtOUvqQ=
Message-ID: <504DA280.8090909@nlnetlabs.nl>
Date: Mon, 10 Sep 2012 10:19:12 +0200
From: Matthijs Mekking <matthijs@nlnetlabs.nl>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120827 Thunderbird/15.0
MIME-Version: 1.0
To: Andrew Sullivan <ajs@anvilwalrusden.com>
References: <20120823214924.GL30725@x28.adm.denic.de> <20120907193210.GH16938@mx1.yitter.info>
In-Reply-To: <20120907193210.GH16938@mx1.yitter.info>
X-Enigmail-Version: 1.4.4
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="------------enig05D028E2AE72B2DCA6A979C5"
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (open.nlnetlabs.nl [213.154.224.1]); Mon, 10 Sep 2012 10:19:14 +0200 (CEST)
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timing-03.txt until 2012-09-14
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Sep 2012 08:19:26 -0000
Hi Andrew, On 09/07/2012 09:32 PM, Andrew Sullivan wrote: > Dear colleagues, > > On Thu, Aug 23, 2012 at 11:49:24PM +0200, Peter Koch wrote: >> Dear DNSOP WG, >> >> this is to initiate a working group last call (WGLC) for >> >> "DNSSEC Key Timing Considerations" >> draft-ietf-dnsop-dnssec-key-timing-03.txt >> <http://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-key-timing/> >> > > I have read draft-ietf-dnsop-dnssec-key-timing-03. I have some > comments. I'll send additional comments containing nits to the draft > editors. > > On the whole, I think the draft is a little complicated for operators > to follow easily. I nevertheless think we should publish it: we offer > today _no_ guidance to operators on these matters, and people I work > with, at least, want such guidance. I know there's another draft > floating about, but if we take as long to reach agreement on that > draft as we took to review this one, we'll never publish anything. I agree the document can be complicated for operators, but the document targets developers in the first place. But I must admit, also for developers, it can be quite a challenge to fully grasp all the timings and its explanations on the first read. > In section 1.2, it would be helpful to observe that, as a matter of > deployment, the KSK might also be the ZSK. I'm aware that the > document is assuming a sharp distinction, but by noting they could be > the same key and leaving the working out of the implications for the > reader, the document will be made more useful. If we would add such a notion, I would also add that this document does not cover time lines for rollovers where the key has both roles. > Section 1.4 includes the RFC 2119 language, but in some places I > notice "must" (in lower case) used. I find this a little hard to work > with, and I know that at least one AD is quite exercised about this > issue, so I think someone needs to go through the document and restate > such uses. I also find it mystifying why some but not all of the > definitions are moved to an appendix, although I don't really care > about this. > > Section 3.1 has this definition: > > Published The DNSKEY record - or information associated with it - > is published in the zone, but predecessors of the key (or > associated information) may be held in caches. > > I think this isn't quite right, because the predecessors of the key > (i.e. other keys) might also be Published, no? It's predecessors of > the relevant RRsets that might still be in caches, I think, no? > > In section 3.2.2, the text, "The successor is key is now active and > the current key is said to be retired," is a little strange (it's odd > that the "current key" is the retired one and the "successor key" is > active). I understand the text given the context, but I wonder whether > this would be better phrased in terms of Key N and Key N+1. > > It took me a minute to understand Section 3.2.3, Event 4. Perhaps it > could be clarified this way: > > There is now a delay while RRSIGs that were only generated using > Key N expire from caches. This interval is given by the expression: > > Dprp + TTLsig > > After that interval, all caches that have any RRSIG will have the > RRSIGs generated by both Key N and Key N-1. > > Or something like that? > > Best regards, > > Andrew >
- [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timing-0… Peter Koch
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Edward Lewis
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Matthijs Mekking
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Johan Ihrén
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Matthijs Mekking
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Tony Finch
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Yuri Schaeffer
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Matthijs Mekking
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Andrew Sullivan
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Matthijs Mekking
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Olafur Gudmundsson
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Tony Finch
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Tony Finch
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Peter Koch