On Apr 2, 2015, at 12:32 AM, Matthijs Mekking <matth...@pletterpet.nl> wrote: > Actually I think $DEFAULT_TTL should be in Zones too as it only exists > in zone files.
This does not seem to be a commonly used term, does it? >>> Should we also define zone enumeration? >> >> Only if we agree on a definition. Proposal? > > Perhaps we can quote RFC5155 here: > > Zone enumeration is enabled by the set of NSEC records that exists > inside a signed zone. An NSEC record lists two names that are > ordered canonically, in order to show that nothing exists between the > two names. The complete set of NSEC records lists all the names in a > zone. It is trivial to enumerate the content of a zone by querying > for names that do not exist. Yeah, I realized that after I sent the message last night, and already put it in the pre-draft. I tweaked a bit because we have definitions for NSEC and NSEC3 as well, and now the considerations from NSEC5. >>> On page 13 KSK and ZSK are described. There is also a notion of a >>> Combined Signing Key (CSK) [1]. In RFC 6781 this is called a >>> Single-Type Signing Scheme: "In cases where the differentiation >>> between the KSK and ZSK is not made, i.e., where keys have the role >>> of both KSK and ZSK, we talk about a Single-Type Signing Scheme." >>> Would it be worth to add this term to this document? >> >> That seems to be a very new term, maybe premature for this document. > > I disagree: We have been talking about this in DNSOP for years, also > referred to as Combined Signing Key (CSK). The term "combined signing key" doesn't appear in any RFC, and "CSK" only appears once, in RFC 5155 as part of a octet string. :-) > I think it is important that people who read this terminology realize > that a key can be a KSK and ZSK at the same time. Fully agree. > Think of a key as an > actor and Key-signing and Zone-signing as roles: An actor can have > multiple roles. > > I can be talked into not adding this term to this document but then I > would like to see one additional line, something like: > > The roles KSK and ZSK are not mutually exclusive: A single key > can be both KSK and ZSK at the same time. That seems fine. If either CSK or Single-Type Signing Scheme become more common terms, we can add them to an updated RFC. --Paul Hoffman _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
