comments on draft-ietf-dnsop-resolver-rollover-00.txt
"Scott Rose" <scottr@antd.nist.gov> Mon, 02 July 2001 16:09 UTC
Received: from nic.cafax.se (nic.cafax.se [192.71.228.17]) by ietf.org (8.9.1a/8.9.1a) with SMTP id MAA01387 for <dnsop-archive@odin.ietf.org>; Mon, 2 Jul 2001 12:09:17 -0400 (EDT)
Received: from nic.cafax.se (localhost [127.0.0.1]) by nic.cafax.se (8.12.0.Beta13/8.12.0.Beta13) with ESMTP id f62FjgsG020493 for <dnsop-outgoing@nic.cafax.se>; Mon, 2 Jul 2001 17:45:42 +0200 (MEST)
Received: by nic.cafax.se (8.12.0.Beta13/8.12.0.Beta13) id f62FjeDC020492 for dnsop-outgoing; Mon, 2 Jul 2001 17:45:40 +0200 (MEST)
X-Authentication-Warning: nic.cafax.se: majordom set sender to owner-dnsop@cafax.se using -f
Received: from is1-55.antd.nist.gov (is1-50.antd.nist.gov [129.6.50.251]) by nic.cafax.se (8.12.0.Beta13/8.12.0.Beta13) with ESMTP id f62FjdsG020487 for <dnsop@cafax.se>; Mon, 2 Jul 2001 17:45:39 +0200 (MEST)
Received: from barnacle (barnacle.antd.nist.gov [129.6.55.185]) by is1-55.antd.nist.gov (8.9.3/8.9.3) with SMTP id LAA22221 for <dnsop@cafax.se>; Mon, 2 Jul 2001 11:45:36 -0400 (EDT)
Message-ID: <01de01c1030d$d2c887a0$b9370681@antd.nist.gov>
From: Scott Rose <scottr@antd.nist.gov>
To: dnsop@cafax.se
Subject: comments on draft-ietf-dnsop-resolver-rollover-00.txt
Date: Mon, 02 Jul 2001 11:44:04 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Sender: owner-dnsop@cafax.se
Precedence: bulk
Content-Transfer-Encoding: 7bit
First, I think this is a good draft to discuss more of the security maintenance necessary once DNSSEC gets deployed on a larger scale. However, there are two points I would like to bring up to the group for discussion: 1. In section 2.2, the sixth paragraph states that "During a PC-rollover [a delegated child conducts a key rollover] the old and the new key have to coexist in the zone and the zone must be signed with both the old and new keys so that end-users..." Should this "must" be a "MUST"? I think it would stress a key part of this feature, and would be necessary. 2. The draft should stress that this rollover transaction should only be used for scheduled KEY rollover. An emergency rollover (compromised key) would require more timely interaction and some out of band communication for both the PC and SE rollovers. Hard-nosed security folk will be quick to jump on this point. Scott =============================================================== Scott Rose Advanced Network Technologies Division NIST ph: 301-975-8439 fax: 301-590-0932 http://www.nist.gov ===============================================================