-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 18-04-11 19:41, Peter Koch wrote:
> Please review the document and send any comments you may have to the > list. If you have no comments but support (or do not support) the > document being published, please send that information to the list. More comments: Section 4.1.2 last paragraph: "In this mechanism, there are periods where there are two DS RRs at the parent. Since at the moment of writing the protocol for this interaction has not been developed, further discussion is out of scope for this document." This is strange, as the Double DS rollover mechanism is used furtheron in the document in section 4.1.3 figure 5. I think this text is a leftover from a previous version. It is true that an automated rollover with an in-band interaction has not been developped yet, but this text seems to sugest that Double-DS has not been invented yet. And if such interaction were developped, this should be discussed in section 4.1.3 where Double-DS is defined, as this is what the interaction is trying to automate. When I take section 4.3.5 into considderation, I think that the Double-DS mechanism is almost mandatory for a parent to implement, otherwise you cannot accomodate secure child dns operator changes. Since this mechanism can also be used for regular rollovers, as section 4.1.3 describes, I think Double-DS will be the default rollover mechanism, and double signature only an alternative that will not be deployed by all parents like registries that need to implement these procedures. They will want to stick to one size fits all. Sugestion: Remove the last paragraph of section 4.1.2 starting at "An alternative mechanism has been considered." There's no use in discussing something that doen't excist yet. section 4.1.3: "A zone key rollover can be handled ...." Please use the same syntax: "A ZSK rollover can be handled..... " It's less confusing. Section 4.1.4 last paragraph: "Since this leads to increase in zone and packet size at both child and parent there are little benefits to a Double-DS rollover with a Single Type signing scheme." Same as above. A Double-DS rollover is the only rollover mechanism you can use during a secure dns operator change. Even with a Single Type signing scheme. - -- Antoin Verschuren Technical Policy Advisor SIDN Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970 mailto:antoin.verschu...@sidn.nl xmpp:ant...@jabber.sidn.nl http://www.sidn.nl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJNrYZsAAoJEDqHrM883AgnKtUIAMzfK4qdRedGP0aGuzln06Qq 4UQdUED62kK4kYppYWXhIz8nj04Ak1WgpmNGrFPZJtEdTnBwNZ5j7laSJaBbe0bF Out4qlk/AqxLfeGkywfYYIDRTi6n/xujF+4MwQ3Q1mrKP1q0lSarC9GTQN7MQf/L ZMjNfE+MNh5UNR5snctfBgJbZyCUPuxN/bLTFaA2PeYSxQw+gPJy+gnuwyp2ubPX GqeUfJk5Uu5v75RftAHmM588wX0zQ6qHwEm5OrFxSoZl3852iwPXGi/t+V5eEMQZ DUcxihwqldLFTQKYRID8gdeQzjUJkpsM+lUJp22sxCaaNgn9i0RTGU4yD28urt4= =0nZO -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
