Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-key-timing-05.txt
Paul Hoffman <paul.hoffman@vpnc.org> Tue, 23 September 2014 03:06 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AB671A19F3 for <dnsop@ietfa.amsl.com>; Mon, 22 Sep 2014 20:06:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.647
X-Spam-Level:
X-Spam-Status: No, score=-3.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JN4GChGeFMfI for <dnsop@ietfa.amsl.com>; Mon, 22 Sep 2014 20:06:11 -0700 (PDT)
Received: from proper.com (Hoffman.Proper.COM [207.182.41.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F9951A19F2 for <dnsop@ietf.org>; Mon, 22 Sep 2014 20:06:11 -0700 (PDT)
Received: from [10.20.30.90] (50-1-50-250.dsl.dynamic.fusionbroadband.com [50.1.50.250]) (authenticated bits=0) by proper.com (8.14.9/8.14.7) with ESMTP id s8N367Vq050796 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <dnsop@ietf.org>; Mon, 22 Sep 2014 20:06:09 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: proper.com: Host 50-1-50-250.dsl.dynamic.fusionbroadband.com [50.1.50.250] claimed to be [10.20.30.90]
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <541B29CE.5040908@gmail.com>
Date: Mon, 22 Sep 2014 20:06:06 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <C3C8B727-1B0C-4DA2-9885-B4AFEC9F3580@vpnc.org>
References: <20140917121858.30503.75097.idtracker@ietfa.amsl.com> <541B29CE.5040908@gmail.com>
To: dnsop <dnsop@ietf.org>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/h7a8C2wflxqfNIlJoJtCyIi4Src
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-key-timing-05.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Sep 2014 03:06:13 -0000
On Sep 18, 2014, at 11:51 AM, Tim Wicinski <tjw.ietf@gmail.com> wrote: > This document has been in WGLC and the working group has done an iteration on the document. The authors merged in several sets of changes, first back in July, and recently from the feedback from the working group reviewers and editors. The opinion is that this version reflects all suggestions and is ready to move forward again. > > Since the editorial changes are more than we originally expected, we're going to open up a Working Group Last Call on this document for another 2 weeks. We urge folks to read over the differences in the documents. > > This last call will end on October 2nd, 2014. I did a clean read, and it feels *much* better than the early drafts. I have a small number of editorial comments, but some bigger questions as well. I strongly suspect the questions can be answered by small additions to the draft. At the beginning of 2.1: For ZSKs, the issue for the zone operator/signer is to ensure that any caching validator has access to a particular signature that corresponds to a valid ZSK. "that corresponds to" seem wrong here. The following may be more accurate (or it might be wrong...): For ZSKs, the issue for the zone operator/signer is to ensure that any caching validator has access to a particular signature has access to the corresponding valid ZSK. In 2.2, it says "It is important to note that this does not preclude the development of key rollover logic"; I can't figure out what "this" refers to. There are a bunch of things in the two preceding paragraphs that it might mean. The introduction to 3.1 caught me, and I can't figure out whether or not it is right. A DNSSEC key contributes two pieces of information to the validation process: the DNSKEY itself and the data created from it. In the case of the validation of an RR, the data created from the DNSKEY is the RRSIG. Where there is a need to validate a chain or trust, the data created from the DNSKEY is the DS. In this section, the term "associated data" refers to the RRSIGs created from a DNSKEY when discussing a ZSK, or to the DNSKEY's corresponding DS record when referring to a KSK. Is the "associated data" for a KSK really just the DS? Shouldn't any RRSIG over the ZSK that was created by the DSKEY also be "associated data"? Also in 3.1: Ready The DNSKEY or its associated data have been published for long enough to guarantee that any previous versions of the DNSKEY and/or associated data have expired from caches. This is discussing a new key. What is the "previous version"? Section 3.3.5 is really important to some readers, but it could easily be lost. There should be a sentence near the end of 1.1 that says "Note that introduction of first keys is different than rolling a key; see Section 3.3.5 for more information about that topic." Section 6 really should be Section 1.4. The paragraphs will make it much easier for someone reading the document who exclaims (to no one in particular) "they didn't consider X" as they are reading the meat of the document to understand that the authors probably did think about it, but chose to not include it. --Paul Hoffman
- [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-key-t… internet-drafts
- [DNSOP] Fwd: I-D Action: draft-ietf-dnsop-dnssec-… Tim Wicinski
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-k… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-k… Niall O'Reilly
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-k… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-k… Niall O'Reilly
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-k… Stephen Morris
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-k… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-k… Paul Hoffman