[DNSOP] draft-morris-dnsop-dnssec-key-timing-00

Wed, 01 Apr 2009 07:46:19 -0700 

Hello,
I have studied your I-D, draft-morris-dnsop-dnssec-key-timing-00
and find it a very useful exposition.

I have (A) one point for discussion and (B) a few nits to polish.

(A)

The draft generally assumes a single active key used for zone
signing (or as a KSK for secure delegation).

IIRC, the core DNSSEC specifications call out for one set of
signatures *per algorithm supported in a zone*.

Since currently crypto algorithm agility is a hot topic
(e.g. transition to SHA-2 and ECDSA), it should be worth
being considered in the draft.  The important detail is that,
due to long transition phases to be expected for validating
resolvers, there will be long periods of coexistence of
signatures for secure zones that are deemed worth the
algorithm transition, and hence the common operational need
for more than one 'active' key.

My first impression is that the algorithms in the draft could be
(and should be) easily applied unchanged *per signature algorithm*.
Is that true?

Thoughts?


(B) Editorial nits:

(1)  Figure captions

I suggest to make the figure captions more compact and use the
common RFC style; for instance:

|                      Timeline for a ZSK rollover.
|
|                                Figure 1
---
|                Figure 1: Timeline for a ZSK rollover.


(2)  Section 2.3.2, 2md para

    s/takes in to account/takes into account/
            ^^^^^               ^^^^

(3)  Section 3.1, difference #1

   s/a excessive amount/an excessive amount/
     ^                  ^^

(4)  Section 3.1, 2nd para below the numbered differences

  s/the time take to publish/the time taken to publish/
             ^^^^                     ^^^^^

(5)  Section 3.1, 'Event 1'

  s/may find its convenient/may find it convenient/
             ^^^                     ^^

(6)  Section 3.1, 'Event 4'

Please add the missing trailing period.


(7)  Section 4, implication #2

  s/longer that the key lifetime/longer than the key lifetime/
              ^                            ^

Kind regards,
  Alfred Hönes.

-- 

+------------------------+--------------------------------------------+
| TR-Sys Alfred Hoenes   |  Alfred Hoenes   Dipl.-Math., Dipl.-Phys.  |
| Gerlinger Strasse 12   |  Phone: (+49)7156/9635-0, Fax: -18         |
| D-71254  Ditzingen     |  E-Mail:  a...@tr-sys.de                     |
+------------------------+--------------------------------------------+

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to