Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timing-03.txt until 2012-09-14
Tony Finch <dot@dotat.at> Thu, 06 September 2012 11:44 UTC
Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8E6C21F8587 for <dnsop@ietfa.amsl.com>; Thu, 6 Sep 2012 04:44:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qKo15Db-RvKU for <dnsop@ietfa.amsl.com>; Thu, 6 Sep 2012 04:44:38 -0700 (PDT)
Received: from ppsw-51.csi.cam.ac.uk (ppsw-51.csi.cam.ac.uk [131.111.8.151]) by ietfa.amsl.com (Postfix) with ESMTP id DD18F21F8581 for <dnsop@ietf.org>; Thu, 6 Sep 2012 04:44:37 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:53885) by ppsw-51.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.158]:25) with esmtpa (EXTERNAL:fanf2) id 1T9aVg-0000dN-XZ (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 06 Sep 2012 12:44:36 +0100
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1T9aVg-00078Q-Ch (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 06 Sep 2012 12:44:36 +0100
Date: Thu, 06 Sep 2012 12:44:36 +0100
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: Matthijs Mekking <matthijs@nlnetlabs.nl>
In-Reply-To: <50487B06.3030303@nlnetlabs.nl>
Message-ID: <alpine.LSU.2.00.1209061211010.9973@hermes-1.csi.cam.ac.uk>
References: <20120823214924.GL30725@x28.adm.denic.de> <50487B06.3030303@nlnetlabs.nl>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timing-03.txt until 2012-09-14
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Sep 2012 11:44:38 -0000
Matthijs Mekking <matthijs@nlnetlabs.nl> wrote: > Most of your points look OK to me though I have not yet reviewed the document in detail. I have a disagreement and a suggestion: > * Section 2.1. ZSK Rollovers > > - Bullet point 2, second paragraph. "Once the signing process is > complete and enough time has elapsed to allow all old information to > expire from caches, ...". It is actually more about the new information > to propagate to caches, so I would suggest to replace it with: > > Once the signing process is complete and enough time has elapsed to > allow all new information to propagate to caches, ... > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ No, I think the original text is correct. You can't remove the old DNSKEY until all the old RRsets (and RRSIGs) have expired, and you can't remove the old RRSIGs until the old DNSKEY RRsets have expired. Whether the caches have the new data is irrelevant since it's also OK for them to have no data. And when caches are filled is not under the authority's control. > - Bullet point 1 says that the ZSK Double Signature rollover is also > known as Double-DNSKEY. I have not heard of this term before reading > this document. Is it really known as? Double-KSK would be a better term, since Double-DNSKEY sounds like the normal steady state with a KSK and ZSK. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first.
- [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timing-0… Peter Koch
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Edward Lewis
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Matthijs Mekking
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Johan Ihrén
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Matthijs Mekking
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Tony Finch
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Yuri Schaeffer
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Matthijs Mekking
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Andrew Sullivan
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Matthijs Mekking
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Olafur Gudmundsson
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Tony Finch
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Tony Finch
- Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timi… Peter Koch