On Thu, May 25, 2017 at 1:15 PM, Paul Hoffman <paul.hoff...@vpnc.org> wrote:
> Most people reading an RFC about the DNS probably expect it to be about > the public DNS we know. That public DNS currently has one KSK, and there > are no plans to change that (although there might be in the future). Given > that, and given Mike's comments on the doc, I propose the following. > > Change the Abstract from: > This document describes the math behind the minimum time-length that > a DNS zone publisher must wait before using a new DNSKEY to sign > records when supporting the RFC5011 rollover strategies. > To: > This document describes the math behind the minimum time-length that > a DNS zone publisher must wait before using a new DNSKEY to sign > records when supporting the RFC5011 rollover strategies in zones > that have a single key signing key. > > Just before Section 1.1, add a paragraph: > > This document describes only the case where a zone has only a single key > signing key (KSK). It does not apply to zones that have multiple KSKs. The > current public DNS has a single KSK covering the root zone, and this > document focuses mostly on that KSK in its discussion. > > --Paul Hoffman Although the root zone is mentioned, I don't think "this document focuses mostly on that KSK" I might be wrong, but it would seem to me that the doc covers two situations: 1. How long to wait after publishing a key before signing exclusively with that key. 2. How long after you stop signing with a key before you remove it. And both should apply no matter how many keys a zone happens to have. -- Bob Harold
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
