-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi George, dnsop,
On 04/18/2011 09:01 PM, George Barwood wrote: > I have a few comments. > > (1) It's my belief that almost all Zones except for the root zone should NOT > use a KSK/ZSK split. > With the signing of the root zone and many TLDs, manual distribution of trust > anchors is likely > to be uncommon. One advantage (not mentioned in the document) of using a > single key system is > that it is not necessary for validators to check the RRSIG for the DNSKEY > RRset when it is > completely authenticated by the parent DS. Current practice appears to be the > opposite, so I would > like to see the recommendation tilted more strongly in favour of single keys, > "Use a single key unless you are the root zone or you have unusual > requirements" > in order to redress the balance ( operators are like sheep ). This document is *not* intended to become a BCP. Therefore, I am not eager to add such a recommendation. I believe the operational motivation for ZSK/KSK split (3.1) is sufficient for operators to be able to decide whether a split or a Single Type Signing Scheme is recommended. > (2) There is no point in using a larger key size than the smallest key size > in the parent chain > ( again assuming no manual trust anchors ). i.e. if the parent DS record is > signed with a 1024 bit key, > there is no point in using keys larger than 1024 bits. Again, current > practice appears to be the opposite. > I don't think this is mentioned, even if it is obvious. The document does mention that an attacker will attack the key that costs lowest resources. The comparison with TLS trust anchors is made. Perhaps, a clarifying note on DS records can be made here as well. > (3) Using a longer TTL for negative DS responses might be useful. Currently > the negative TTL for > the com zone is only 900 seconds (the SOA TTL). This is probably appropriate > for a NameError > (NxDomain) response, but 1 day might be more appropriate for a negative DS > response, to improve > caching performance and reduce load on servers. You might be right, I don't know whether which value is more appropriate in one case or another. In one case 900 seconds might be preferred, in the other case 1 day is maybe the best solution. I don't want to advocate BCP values for SOA TTL and SOA MINIMUM. (What I don't understand is how you would set different TTLs for DS-related negative answers and not DS-related negative answers) Best regards, Matthijs > I support publication of this document. > > Regards, > George Barwood > > ----- Original Message ----- > From: "Peter Koch" <p...@denic.de> > To: "IETF DNSOP WG" <dnsop@ietf.org> > Sent: Monday, April 18, 2011 6:41 PM > Subject: [DNSOP] WGLC <draft-ietf-dnsop-rfc4641bis-06.txt> [2011-05-17] > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNrUWcAAoJEA8yVCPsQCW5EYIIAISWmzitwxdpU8vqWW2KPSX2 +KwgXD4DcYQY87d5Uz4Hp8XPbqDOMRZwMv3AcexiFGrgBE4DT4jnlaweXbKFqqUR /dB5gmZiFGmxcx2HN+pxHIoxPn9s4OXsnIWgO0RzUVlFdXmjpfktsbtWIQUIcDcH 5jeTsIH8LqxtPVGdEYA1z1/3gd66PngG6zcDjJNQbhwFMjygyTH2KgnLm4OzlQ78 Oc2kDMvXl1Yw1qqOA2eybs0W9DF51DBSkxNBzkPfDIicNbif2d+KPQMcC0rfKfgT WBTtQ1LL9UIrMv7/RW4PMP+55bQkXTujQAkdE7HK+Duf/UxXBZuyquvDVUXjfwA= =970Y -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
