I have a few comments.

(1) It's my belief that almost all Zones except for the root zone should NOT 
use a KSK/ZSK split.
With the signing of the root zone and many TLDs, manual distribution of trust 
anchors is likely
to be uncommon. One advantage (not mentioned in the document) of using a single 
key system is
that it is not necessary for validators to check the RRSIG for the DNSKEY RRset 
when it is
completely authenticated by the parent DS. Current practice appears to be the 
opposite, so I would
like to see the recommendation tilted more strongly in favour of single keys, 
"Use a single key unless you are the root zone or you have unusual requirements"
in order  to redress the balance ( operators are like sheep ).

(2) There is no point in using a larger key size than the smallest key size in 
the parent chain
( again assuming no manual trust anchors ). i.e. if the parent DS record is 
signed with a 1024 bit key, 
there is no point in using keys larger than 1024 bits. Again, current practice 
appears to be the opposite.
I don't think this is mentioned, even if it is obvious.

(3) Using a longer TTL for negative DS responses might be useful. Currently the 
negative TTL for
the com zone is only 900 seconds (the SOA TTL). This is probably appropriate 
for a NameError
(NxDomain) response, but 1 day might be more appropriate for a negative DS 
response, to improve
caching performance and reduce load on servers.

I support publication of this document.

Regards,
George Barwood

----- Original Message ----- 
From: "Peter Koch" <p...@denic.de>
To: "IETF DNSOP WG" <dnsop@ietf.org>
Sent: Monday, April 18, 2011 6:41 PM
Subject: [DNSOP] WGLC <draft-ietf-dnsop-rfc4641bis-06.txt> [2011-05-17]

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to