-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Fredik,
As others already pointed out. A key with the SEP bit set is not necessarily a KSK. I like to see Key Signing (KS) and Zone Signing (ZS) as a role of a key. A key can than have one or both of these roles. The document focuses too much on the situation where those roles are divided between different keys (aka a KSK/ZSK split). Therefore, it might be difficult to fit in the Single Type Signing Scheme into the framework. I propose the following changes: - -------------------------------------------------------------------------- Section 2 Definitions: Key Roll Over - A operational process of DNSSEC to change one of the keys currently used for signing. Section 4.4.5. Compromise and Disaster Recovery: Bullet point 2: The recovery procedures used ... is re-established, whether one of the keys requires a roll-over, how to assess the damage and carry out the root cause analysis. Bullet point 3: The recovery procedures used if one of the keys is compromised. These procedures describe how ... Section 4.6.1. Key lengths, algorithms and roles This subcomponent describes whether the keys are used as Key Signing Key, Zone Singing Key or both. It describes the key generation algorithm and the key length used to create the keys. Merge 4.6.4 and 4.6.5: Key Roll-over This subcomponent explains the roll-over scheme per key. Roll-overs vary depending on the roles of the key (e.g. does the key act as a Key Signing Key, Zone Singing Key or both). - -------------------------------------------------------------------------- I think these are fairly small changes and makes a Single Type Signing Scheme fit more into the framework. Best regards. Matthijs PS: Perhaps the Flags Field (to SEP or not to SEP) should also be covered. I think it would fit in Section 4.6.1. On 06/23/2011 06:51 PM, Fredrik Ljunggren wrote: > > On 2011-06-23, at 02:21, Matthijs Mekking wrote: > >> The two different methods I call signing scheme. > > Ok! I follow you. > >> If I am going to use a Single Type Signing Scheme, where do I >> describe the roll-over schedule for that key. > > A KSK is a DNSKEY with the SEP bit set. And for validation to work > with a single key, that key has to have the SEP bit set. So I would > suggest roll-overs in a single-key zone to be described under KSK > roll-over. > > And you do have a point that this should be spelled out in the DPS > framework document. Although, I'm a bit reluctant to having a whole > new section for this, but would rather see it included in the > existing sections. > > What do you think about adding some descriptive text to the section > "Key lengths and algorithms", to include split/single key signing > there? And using the existing subsections as relevant for > roll-overs? > > -- Fredrik > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOBE2pAAoJEA8yVCPsQCW5hJYIAIQ5ELccaM7vupiisVI+n9DF 15QJ8fXB81Ql4si2GSqeNIdVUmVt0Vb+OPagGAXfnEKt3O/Cj4ARuGKvRrNQJNUH uy1n8dRyx5MkaW1hqruBywS68Pmra9OYn1Mbi5TJTKBjTl9oHwPCrR1gnZmtFLFf ZqeZnQM/z+K6mkGGfxt4WdIQyzIjkTAN6atEi7f7Mfv6qJH3Gbc4PG6bLudkBQG+ uofyJUg6U0tGJDyGq7T0IMW9YyYAjavUzQKqdgVv5JMozrszzc8LMTBca4zGwDvB wZUaFJFcrh8phJ5hwjv7Ymf02jis4I1u885tGjqrgZ8NE0/9+aj6QwNlT384SPw= =VtNH -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
