[DNSOP] Questions regarding draft-jabley-dnssec-trust-anchor-07
Daniel Migault <mglt.ietf@gmail.com> Mon, 14 October 2013 14:02 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75D1A21E8093 for <dnsop@ietfa.amsl.com>; Mon, 14 Oct 2013 07:02:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iIfSfAxdKmCL for <dnsop@ietfa.amsl.com>; Mon, 14 Oct 2013 07:02:00 -0700 (PDT)
Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) by ietfa.amsl.com (Postfix) with ESMTP id D5ADF21E80CB for <dnsop@ietf.org>; Mon, 14 Oct 2013 07:01:49 -0700 (PDT)
Received: by mail-wi0-f178.google.com with SMTP id hn9so88524wib.11 for <dnsop@ietf.org>; Mon, 14 Oct 2013 07:01:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=l+afg46cbOGOWqFfuCZx8P5CR0GhBaTPMu2uQKBAXU8=; b=jdGKqqgPc0yUtb8IFHtd5WgqWh4dyM0a/sZIH3T8keEye4ObdHs+erAGwcFmYvG+y1 AfbbQ+dT4qp9Yn0w7D03MpSrK1SqQRxgrSmv5dMRZNTJfJ69FBJBF0HDL/7L8iqgjtx9 llgHF0DRf9+bTxODh+R3m00hJSSfTTtxLj/BENBUvLiUy4eEeJ0SwWvw2r2H2G5mwOoQ ykjhjP76mort4rtXYcjI//L++AvnhkIGo8gIZj1+Y2ncwjopnqyeMEekFaqBBMDXhxda CXTaskEPozmgZ6YUxlM0QY7F5BuyVnZV9XLNq9xlV+7UnIV5UvtC4dccg9gvHUfx27fA MGWg==
MIME-Version: 1.0
X-Received: by 10.180.206.178 with SMTP id lp18mr1043539wic.40.1381759308546; Mon, 14 Oct 2013 07:01:48 -0700 (PDT)
Received: by 10.194.41.138 with HTTP; Mon, 14 Oct 2013 07:01:48 -0700 (PDT)
Date: Mon, 14 Oct 2013 16:01:48 +0200
Message-ID: <CADZyTk=dyY90bW7OUCE1eBxv0nV=fc-=+5Ue8op3-Zt6wDp1rw@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
To: dnsop@ietf.org
Content-Type: multipart/alternative; boundary="001a11c3844ac046f504e8b3e8dc"
Subject: [DNSOP] Questions regarding draft-jabley-dnssec-trust-anchor-07
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Oct 2013 14:02:01 -0000
Hi, I went through the draft http://tools.ietf.org/html/draft-jabley-dnssec-trust-anchor-07 and have a comments and questions. Section provides 3 urls example with the key work "key-label". Maybe it would be helpful to designate it as "key-digest-id" as we get it from the following line: <KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00"> Then I have other questions regarding the format of the certificate. Maybe some text should be added to clarify these points. 1) Why KeyUsage is not specified. This field is Critical, and I would have expected to have these two values: digitalSignature (0) and nonRepudiation (1), as it signs the ZSK. 2) Why do not you use a Subject Alternative Name with the DNS name = the fqdn of the zone. This informational field would bind the KSK with the zone. The CN string format "Root Zone KSK 2010-06-16T21:19:24+00:00", could be considered as a description. 3) Is there any reasons to put CN "Root Zone KSK 2010-06-16T21:19:24+00:00" instead of the exact name of the zone, i.e in our case: "." 4) What are the motivations for resourceRecord? Is that to specify the usage and the Subject Alternative Name? I understand it as a private attribute. Am I right? Best Regards, Daniel -- Daniel Migault Orange Labs -- Security +33 6 70 72 69 58
- [DNSOP] Questions regarding draft-jabley-dnssec-t… Daniel Migault