On Wed, Jul 5, 2017 at 12:30 PM, Jim Reid <j...@rfc1035.com> wrote: > I’ve got a few concerns/issues with the document. >
Hi Jim, I largely agree with the responses Viktor gave in a previous message. I'll comment on the last point where he did not: > 6) The draft doesn't seem to take account of key rollovers when DNS data > will be signed by two or more keys. Zone signing keys are missing from the > examples too. These might well have been omitted for cosmetic reasons. IMO > they need to be included in the final document to illustrate what > implementers can expect to find when the DNS returns signed data. > I assume you're referring to the examples in Appendix D (Test Vectors)? These are working examples that implementers can test code against. But it looks like the testbed involved in these examples uses combined signing keys (i.e. ones that are both the zone's secure entry point and the ZSK). Perhaps we should use an example with the KSK/ZSK split to make them look more like the real world. Let me discuss with Willem Toorop (co-author) who generated these ... -- Shumon Huque
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
