I have a few comments. (1) It's my belief that almost all Zones except for the root zone should NOT use a KSK/ZSK split. With the signing of the root zone and many TLDs, manual distribution of trust anchors is likely to be uncommon. One advantage (not mentioned in the document) of using a single key system is that it is not necessary for validators to check the RRSIG for the DNSKEY RRset when it is completely authenticated by the parent DS. Current practice appears to be the opposite, so I would like to see the recommendation tilted more strongly in favour of single keys, "Use a single key unless you are the root zone or you have unusual requirements" in order to redress the balance ( operators are like sheep ).
(2) There is no point in using a larger key size than the smallest key size in the parent chain ( again assuming no manual trust anchors ). i.e. if the parent DS record is signed with a 1024 bit key, there is no point in using keys larger than 1024 bits. Again, current practice appears to be the opposite. I don't think this is mentioned, even if it is obvious. (3) Using a longer TTL for negative DS responses might be useful. Currently the negative TTL for the com zone is only 900 seconds (the SOA TTL). This is probably appropriate for a NameError (NxDomain) response, but 1 day might be more appropriate for a negative DS response, to improve caching performance and reduce load on servers. I support publication of this document. Regards, George Barwood ----- Original Message ----- From: "Peter Koch" <p...@denic.de> To: "IETF DNSOP WG" <dnsop@ietf.org> Sent: Monday, April 18, 2011 6:41 PM Subject: [DNSOP] WGLC <draft-ietf-dnsop-rfc4641bis-06.txt> [2011-05-17] _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop