Hello, I have studied your I-D, draft-morris-dnsop-dnssec-key-timing-00 and find it a very useful exposition.
I have (A) one point for discussion and (B) a few nits to polish. (A) The draft generally assumes a single active key used for zone signing (or as a KSK for secure delegation). IIRC, the core DNSSEC specifications call out for one set of signatures *per algorithm supported in a zone*. Since currently crypto algorithm agility is a hot topic (e.g. transition to SHA-2 and ECDSA), it should be worth being considered in the draft. The important detail is that, due to long transition phases to be expected for validating resolvers, there will be long periods of coexistence of signatures for secure zones that are deemed worth the algorithm transition, and hence the common operational need for more than one 'active' key. My first impression is that the algorithms in the draft could be (and should be) easily applied unchanged *per signature algorithm*. Is that true? Thoughts? (B) Editorial nits: (1) Figure captions I suggest to make the figure captions more compact and use the common RFC style; for instance: | Timeline for a ZSK rollover. | | Figure 1 --- | Figure 1: Timeline for a ZSK rollover. (2) Section 2.3.2, 2md para s/takes in to account/takes into account/ ^^^^^ ^^^^ (3) Section 3.1, difference #1 s/a excessive amount/an excessive amount/ ^ ^^ (4) Section 3.1, 2nd para below the numbered differences s/the time take to publish/the time taken to publish/ ^^^^ ^^^^^ (5) Section 3.1, 'Event 1' s/may find its convenient/may find it convenient/ ^^^ ^^ (6) Section 3.1, 'Event 4' Please add the missing trailing period. (7) Section 4, implication #2 s/longer that the key lifetime/longer than the key lifetime/ ^ ^ Kind regards, Alfred Hönes. -- +------------------------+--------------------------------------------+ | TR-Sys Alfred Hoenes | Alfred Hoenes Dipl.-Math., Dipl.-Phys. | | Gerlinger Strasse 12 | Phone: (+49)7156/9635-0, Fax: -18 | | D-71254 Ditzingen | E-Mail: a...@tr-sys.de | +------------------------+--------------------------------------------+ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop