Re: [DNSOP] Some comments on draft-hoffman-dns-terminology

Thu, 02 Apr 2015 00:33:07 -0700 

Paul,

On 04/01/2015 08:46 PM, Paul Hoffman wrote:

On Apr 1, 2015, at 1:02 AM, Matthijs Mekking <matth...@pletterpet.nl>
wrote:

In section 3 (DNS Message Format) the last three paragraphs
discusses "default TTL", Glue records and Referrals. I wonder if
that belongs in the section about DNS Message Format. To me it
sounds like it is more suitable to be put in the Resource Records
section or Zones section.


Good point. TTL should be in "Resource Records", and Referral/Glue
should be in Zones.


Actually I think $DEFAULT_TTL should be in Zones too as it only exists
in zone files.

[SNIP]


Should we also define zone enumeration?


Only if we agree on a definition. Proposal?


Perhaps we can quote RFC5155 here:

   Zone enumeration is enabled by the set of NSEC records that exists
   inside a signed zone.  An NSEC record lists two names that are
   ordered canonically, in order to show that nothing exists between the
   two names.  The complete set of NSEC records lists all the names in a
   zone.  It is trivial to enumerate the content of a zone by querying
   for names that do not exist.



On page 13 KSK and ZSK are described. There is also a notion of a
Combined Signing Key (CSK) [1]. In RFC 6781 this is called a
Single-Type Signing Scheme: "In cases where the differentiation
between the KSK and ZSK is not made, i.e., where keys have the role
of both KSK and ZSK, we talk about a Single-Type Signing Scheme."
Would it be worth to add this term to this document?


That seems to be a very new term, maybe premature for this document.


I disagree: We have been talking about this in DNSOP for years, also
referred to as Combined Signing Key (CSK).

I think it is important that people who read this terminology realize
that a key can be a KSK and ZSK at the same time. Think of a key as an
actor and Key-signing and Zone-signing as roles: An actor can have
multiple roles.

I can be talked into not adding this term to this document but then I
would like to see one additional line, something like:

    The roles KSK and ZSK are not mutually exclusive: A single key
    can be both KSK and ZSK at the same time.


Best regards,
  Matthijs




--Paul Hoffman _______________________________________________ DNSOP
mailing list DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop



_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop






















					Reply via email to