-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I volunteered to review this draft, and have some minor comments:
1. In section 4 it says that trust anchors correspond to KSKs. My
understanding is that trust anchors correspond to both KSKs and ZSKs.
I also made this comment on my review of
draft-gudmundsson-life-of-dnskey-00.
2. Some must/should/SHOULD/MUST issues:
* page 6:
"A validating resolver *should* remove a trust anchor that has been
revoked as indicated by the REVOKE bit in the corresponding DNSKEY
record as described in RFC 5011."
: I argue if this 'should' should be a 'SHOULD' :), in order to
indicate the requirement level as described in RFC 2119.
* page 7:
"Validating resolver operators *MUST* ensure that configured trust
anchors remains current and does not go stale."
: This 'MUST' must be a 'must'. Well, at least I find it strange to
use a keyword for the work of (human) operators.
"each configured trust anchor *SHOULD* correspond to a DNSKEY RR in
the trust anchor zone's apex DNSKEY RRSet."
: SHOULD -> should. I think this refers to 'ought to' and not the 2119
definition.
3. In section 5 it says that if multiple mechanisms are updating the
trust anchor list then there is the possibility of conflict, ...
So this setting is NOT RECOMMENDED? Maybe add such a sentence.
4. If you're using RFC 2119 keywords, maybe a section 'requirements
language' should be provided.
That's all!
Matthijs Mekking
[EMAIL PROTECTED]
Foundation NLnet Labs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFH6P8MIXqNzxRs6egRAnP1AJ4z6HjeBbDs+dO86QY7Lj0Vzl1lvgCbBnLJ
HKTSmLq72U9QidZiJs5JCFw=
=5TQh
-----END PGP SIGNATURE-----
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
