In section 4.2.1.1. (Pre-Publish Key Rollover) of 4641, the table detailing the stages of the rollover process appears to be missing some indentation.
Existing Text: Pre-publish key rollover involves four stages as follows: ---------------------------------------------------------------- initial new DNSKEY new RRSIGs DNSKEY removal ---------------------------------------------------------------- SOA0 SOA1 SOA2 SOA3 RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) RRSIG11(SOA3) DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY10 DNSKEY10 DNSKEY10 DNSKEY11 DNSKEY11 DNSKEY11 RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY) RRSIG1 (DNSKEY) RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY) ---------------------------------------------------------------- Pre-Publish Key Rollover initial: Initial version of the zone: DNSKEY 1 is the Key Signing Key. DNSKEY 10 is used to sign all the data of the zone, the Zone Signing Key. new DNSKEY: DNSKEY 11 is introduced into the key set. Note that no signatures are generated with this key yet, but this does not secure against brute force attacks on the public key. The minimum duration of this pre-roll phase is the time it takes for the data to propagate to the authoritative servers plus TTL value of the key set. Corrected table, with '|' indicating a changed line: Pre-publish key rollover involves four stages as follows: ---------------------------------------------------------------- initial new DNSKEY new RRSIGs DNSKEY removal ---------------------------------------------------------------- SOA0 SOA1 SOA2 SOA3 RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) RRSIG11(SOA3) DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY10 DNSKEY10 DNSKEY10 DNSKEY11 | DNSKEY11 DNSKEY11 RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY) RRSIG1 (DNSKEY) RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY) ---------------------------------------------------------------- Pre-Publish Key Rollover -- Robert Story SPARTA
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/dnsop