Hi, This document is the result of IESG review and off-line comments we received during IESG review.
The IESG review mainly resulted in style and language changes, including some typo fixes. There was a strong consensus for keeping a changelog between RFC 4641 and this successor document, so I have added an extra appendix for that. The section of Security Considerations has been expanded. During IESG review, we received some off-line comments: - In the DNSKEY removal step of the ZSK Pre-Publication Rollover, the DNSKEY RRset does not need to be resigned with the DNSKEY_Z_11, only with the DNSKEY_K_1. - The -12 warned that having a key effectivity period smaller than the Maximum Zone TTL leads to an ever-growing DNSKEY RRset. Yuri Schaeffer has pointed out that this is not entirely true: At some point in time the growth stops. However, you would have an unnecessary large DNSKEY RRset. - The -12 mentions in Section 5.3.3 (on the topic of NSEC3 Salt) that all NSEC3 records in a zone should have the same salt. Ed Lewis has pointed out that there can be NSEC3 records with other salt, as long as there is one complete chain of NSEC3 records with the same salt, and that salt matches the salt in the NSEC3PARAM record. Best regards, Matthijs On 09/11/2012 11:58 AM, internet-dra...@ietf.org wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Domain Name System Operations Working Group > of the IETF. > > Title : DNSSEC Operational Practices, Version 2 > Author(s) : Olaf M. Kolkman > W. (Matthijs) Mekking > R. (Miek) Gieben > Filename : draft-ietf-dnsop-rfc4641bis-13.txt > Pages : 83 > Date : 2012-09-11 > > Abstract: > This document describes a set of practices for operating the DNS with > security extensions (DNSSEC). The target audience is zone > administrators deploying DNSSEC. > > The document discusses operational aspects of using keys and > signatures in the DNS. It discusses issues of key generation, key > storage, signature generation, key rollover, and related policies. > > This document obsoletes RFC 4641 as it covers more operational ground > and gives more up-to-date requirements with respect to key sizes and > the DNSSEC operations. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc4641bis > > There's also a htmlized version available at: > http://tools.ietf.org/html/draft-ietf-dnsop-rfc4641bis-13 > > A diff from the previous version is available at: > http://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-rfc4641bis-13 > > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
