I reviewed the "DNSSEC Key Timing Considerations draft-ietf-dnsop-dnssec-key-timing-03.txt" document rather extensively with emphasis on verifying correctness of the rollover timelines. I believe these are correct.
A remark: 4. Standby Keys, paragraph 6: "Finally, in the Double-DS method of rolling a KSK, it is not a standby key that is present, it is a standby DS record in the parent zone." Saying this does not count as a 'standby key' is confusing in the light that the term key is used rather loosely. Also this text insinuates that it is somehow worse than having a "Double-Signature standby key" but fails to mention why. Another remark. I guess this is not up for debate at this point but it really bothers me: 2.3: Table 1. I don't like the names at all. It is confusing and inconsistent. KSK Double-Signature would in my opinion be better of called Double-DNSKEY. ZSK Double-Signature means: "do everything at once" whilst KSK Double-Signature means "do it staged". Similar to make it make consistent I would either cal ZSK Pre-Publication Double-DNSKEY or KSK Double-DS Pre-Publication. Perhaps: +------------------+------------------+-----------------------------+ | ZSK Method | KSK Method | Description | +------------------+------------------+-----------------------------+ | Double-DNSKEY | - | Publish the DNSKEY before | | | | the RRSIGs. | | Double-RRSIG | - | Publish RRSIGs before the | | | | DNSKEY. | | Double-ZSK | - | Publish the DNSKEY and | | | | RRSIGs at same time. | | - | Double-DNSKEY | Publish the DNSKEY before | | | | The DS. | | - | Double-DS | Publish DS before the | | | | DNSKEY. | | - | Double-KSK | Publish DNSKEY and DS in | | | | parallel. | +------------------+------------------+-----------------------------+ Regards, Yuri Schaeffer _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
