Most people reading an RFC about the DNS probably expect it to be about
the public DNS we know. That public DNS currently has one KSK, and there
are no plans to change that (although there might be in the future).
Given that, and given Mike's comments on the doc, I propose the
following.
Change the Abstract from:
This document describes the math behind the minimum time-length that
a DNS zone publisher must wait before using a new DNSKEY to sign
records when supporting the RFC5011 rollover strategies.
To:
This document describes the math behind the minimum time-length that
a DNS zone publisher must wait before using a new DNSKEY to sign
records when supporting the RFC5011 rollover strategies in zones
that have a single key signing key.
Just before Section 1.1, add a paragraph:
This document describes only the case where a zone has only a single key
signing key (KSK). It does not apply to zones that have multiple KSKs.
The current public DNS has a single KSK covering the root zone, and this
document focuses mostly on that KSK in its discussion.
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
