Re: [DNSOP] WGLC draft-ietf-dnsop-dnssec-key-timing-03.txt until 2012-09-14

[Tony Finch <dot@dotat.at>]

Matthijs Mekking <matthijs@nlnetlabs.nl> wrote:
>

Most of your points look OK to me though I have not yet reviewed the
document in detail. I have a disagreement and a suggestion:

> * Section 2.1. ZSK Rollovers
>
> - Bullet point 2, second paragraph. "Once the signing process is
> complete and enough time has elapsed to allow all old information to
> expire from caches, ...". It is actually more about the new information
> to propagate to caches, so I would suggest to replace it with:
>
>     Once the signing process is complete and enough time has elapsed to
>     allow all new information to propagate to caches, ...
>               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

No, I think the original text is correct. You can't remove the old DNSKEY
until all the old RRsets (and RRSIGs) have expired, and you can't remove
the old RRSIGs until the old DNSKEY RRsets have expired. Whether the
caches have the new data is irrelevant since it's also OK for them to have
no data. And when caches are filled is not under the authority's control.

> - Bullet point 1 says that the ZSK Double Signature rollover is also
> known as Double-DNSKEY. I have not heard of this term before reading
> this document. Is it really known as?

Double-KSK would be a better term, since Double-DNSKEY sounds like the
normal steady state with a KSK and ZSK.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.