On 13/06/2011 1:22 PM, Stephen Morris wrote:
Dear DNSOP WG,
This is to initiate a working group last call (WGLC) on
"DNSSEC Policy& Practice Statement Framework"
draft-ietf-dnsop-dnssec-dps-framework-04.txt
Owing to the length of the document, the WGLC will last for three weeks
instead of the usual two, and will therefore end on
Monday, 4 July 2011, 23:59 UTC
The IETF tools site gives easy access to the current and previous
versions, as well as differences and the like, at:
http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-dps-framework-04
The document is aimed at a status of "Informational".
Please review the document and send any comments you may have to the
list. If you have no comments but support (or do not support) the
document being published, please send that information to the list.
The document is subject to the normal five reviewer threshold.
I have reviewed this document and support its publication.
Few nits and questions below:
a) DP and DSP should be included in the Definitions section 2, even
though the abbreviations are are defined in section 1.2
Alternatively spell out in section 3.1. and 3.2 titles what DP and DPS are.
b) The document for all practical purposes is about the process until a
zone has been signed/resigned. There is almost no discussion about the
operation of the signed zone is this intentional or an omission ?
(the exceptions are the key rollover sections 4.5.4+5)
c) Section 4.6.9 should not limit itself to TTL's to types it should
cover all types in the zone as the Maximum TTL in the zone impacts how
fast keys can be added/removed from DNSKEY set.
d) Section 4.6.8 does not indicate what the purpose of this test is.
I think the purpose is to prevent bad data from showing up in the DNS.
f) There needs to be section (4.6.x) for zones that use NSEC3 as to the
policy for changing NSEC3 parameters as this is similar to a ZSK roll-over.
Questions:
c) should the DPS have a section describing if/when/how a zone (i.e.
the one covered by the DPS) goes to unsigned?
d) Should the DPS have a section describing the zone's policy as how to
perform an algorithm rollover ?
what I'm in particular looking for is in particular how long the zone
expects to be signed by both algorithms.
Olafur
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
