Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc4641bis-13.txt
Matthijs Mekking <matthijs@nlnetlabs.nl> Tue, 11 September 2012 10:03 UTC
Return-Path: <matthijs@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBC3C21F873B for <dnsop@ietfa.amsl.com>; Tue, 11 Sep 2012 03:03:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.224
X-Spam-Level:
X-Spam-Status: No, score=-102.224 tagged_above=-999 required=5 tests=[AWL=-0.225, BAYES_00=-2.599, J_CHICKENPOX_45=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mbi2ImpSwK90 for <dnsop@ietfa.amsl.com>; Tue, 11 Sep 2012 03:03:20 -0700 (PDT)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id D878C21F8713 for <dnsop@ietf.org>; Tue, 11 Sep 2012 03:03:19 -0700 (PDT)
Received: from [213.154.224.18] (zoidberg.nlnetlabs.nl [213.154.224.18]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.5/8.14.4) with ESMTP id q8BA3Chp086335 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for <dnsop@ietf.org>; Tue, 11 Sep 2012 12:03:12 +0200 (CEST) (envelope-from matthijs@nlnetlabs.nl)
X-DKIM: OpenDKIM Filter v2.6.7 open.nlnetlabs.nl q8BA3Chp086335
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1347357794; bh=9mjRYUKTyWXefmbQw594B19VLRoeHzd71WUsIP9dQKM=; h=Date:From:To:Subject:References:In-Reply-To; b=dEXlvXZhJ7GsZwayPNHw76Dmgu1x7Xoj0nwdkQOL4eKv3Rm6O1W7KUx/6fuvMs0TL NYQQ1G1HOGq5qmZkDjqYRA7Cu3uni75imzVzrrWJfWY/yLP956bHT1PgiohLlbAakq txYzZbtUy2seIuSwQX/M8O4oTi4mzrhTRr5B9UYk=
Message-ID: <504F0C62.9070206@nlnetlabs.nl>
Date: Tue, 11 Sep 2012 12:03:14 +0200
From: Matthijs Mekking <matthijs@nlnetlabs.nl>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120827 Thunderbird/15.0
MIME-Version: 1.0
To: dnsop@ietf.org
References: <20120911095859.12655.30801.idtracker@ietfa.amsl.com>
In-Reply-To: <20120911095859.12655.30801.idtracker@ietfa.amsl.com>
X-Enigmail-Version: 1.4.4
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="------------enigC80FBF398760C6DFF129CE2F"
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (open.nlnetlabs.nl [213.154.224.1]); Tue, 11 Sep 2012 12:03:12 +0200 (CEST)
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc4641bis-13.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Sep 2012 10:03:21 -0000
Hi, This document is the result of IESG review and off-line comments we received during IESG review. The IESG review mainly resulted in style and language changes, including some typo fixes. There was a strong consensus for keeping a changelog between RFC 4641 and this successor document, so I have added an extra appendix for that. The section of Security Considerations has been expanded. During IESG review, we received some off-line comments: - In the DNSKEY removal step of the ZSK Pre-Publication Rollover, the DNSKEY RRset does not need to be resigned with the DNSKEY_Z_11, only with the DNSKEY_K_1. - The -12 warned that having a key effectivity period smaller than the Maximum Zone TTL leads to an ever-growing DNSKEY RRset. Yuri Schaeffer has pointed out that this is not entirely true: At some point in time the growth stops. However, you would have an unnecessary large DNSKEY RRset. - The -12 mentions in Section 5.3.3 (on the topic of NSEC3 Salt) that all NSEC3 records in a zone should have the same salt. Ed Lewis has pointed out that there can be NSEC3 records with other salt, as long as there is one complete chain of NSEC3 records with the same salt, and that salt matches the salt in the NSEC3PARAM record. Best regards, Matthijs On 09/11/2012 11:58 AM, internet-drafts@ietf.org wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Domain Name System Operations Working Group of the IETF. > > Title : DNSSEC Operational Practices, Version 2 > Author(s) : Olaf M. Kolkman > W. (Matthijs) Mekking > R. (Miek) Gieben > Filename : draft-ietf-dnsop-rfc4641bis-13.txt > Pages : 83 > Date : 2012-09-11 > > Abstract: > This document describes a set of practices for operating the DNS with > security extensions (DNSSEC). The target audience is zone > administrators deploying DNSSEC. > > The document discusses operational aspects of using keys and > signatures in the DNS. It discusses issues of key generation, key > storage, signature generation, key rollover, and related policies. > > This document obsoletes RFC 4641 as it covers more operational ground > and gives more up-to-date requirements with respect to key sizes and > the DNSSEC operations. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc4641bis > > There's also a htmlized version available at: > http://tools.ietf.org/html/draft-ietf-dnsop-rfc4641bis-13 > > A diff from the previous version is available at: > http://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-rfc4641bis-13 > > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] I-D Action: draft-ietf-dnsop-rfc4641bis-1… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc4641b… Matthijs Mekking