On Mon, Nov 13, 2017 at 9:26 PM, <internet-dra...@ietf.org> wrote:

>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Domain Name System Operations WG of the
> IETF.
>
>         Title           : A Sentinel for Detecting Trusted Keys in DNSSEC
>         Authors         : Geoff Huston
>                           Joao Silva Damas
>                           Warren Kumari
>         Filename        : draft-huston-kskroll-sentinel-04.txt
>         Pages           : 8
>         Date            : 2017-11-13
>
> Abstract:
>    The DNS Security Extensions (DNSSEC) were developed to provide origin
>    authentication and integrity protection for DNS data by using digital
>    signatures.  These digital signatures can be verified by building a
>    chain of trust starting from a trust anchor and proceeding down to a
>    particular node in the DNS.  This document specifies a mechanism that
>    will allow an end user to determine the trusted key state of the
>    resolvers that handle the user's DNS queries.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-huston-kskroll-sentinel/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-huston-kskroll-sentinel-04
> https://datatracker.ietf.org/doc/html/draft-huston-kskroll-sentinel-04
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-huston-kskroll-sentinel-04
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
>
Looks like you clarified that "_is-ta-<tag-index>." and
"_not-ta-<tag-index>." are the left-most labels.
Thanks, that's an improvement.

I like the draft.

If I have to add those entries to each zone, I worry that the automated DNS
appliance that I use might not be able to create the broken records
required.  But I am not using DNSSEC yet, so that is a future issue for
me.  Still waiting for more automation (CDSKEY etc) and 'time' to work on
it.

-- 
Bob Harold
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to