I'll pass on my comments on the draft. I've removed my comments that
were duplicates of those submitted by Ed and Paul W.
I'm not an English language expert (even though it is my first and
primary language; I just defer to those with better knowledge than I),
but I did find the draft well readable and only spotted a few minor
typographical nits which makes it a pretty good document in my view.
Section 2, Last paragraph
------------------------------
This text sort of implies implementations can pick which size of a
hash they wish to support. I'm not sure that was the intent or not.
IMHO, implementations should only allow complete DS record length
hashes (which may themselves be truncated versions of the hash
algorithm). Implementations SHOULD NOT allow for configuration of
hash lengths which are shorter than what the DS length itself
specifies. DS lengths are frequently chosen with great care for
cryptographic reasons. I wouldn't be happy with an implementation
that accepted a 2 byte hash as an acceptable truncated DS record.
Section 3, next sentence after step 4
----------------------------------------
- Doesn't take into account (5011) revoked keys. It's discussed
later, but this sentence is incorrect. 5011 REVOKED keys aren't
caught as an exception in the above points and specifically prohibit
"can be used authenticate RRSets at or below the trust anchor".
Section 3, next sentence after step 4
----------------------------------------
- used authenticate -> used to authenticate
section 4, "Trust anchors correspond to zones' key signing keys "
--------------------------------------------------------
As has sort of been beat upon already, this isn't the case. TAs can
be either ZSKs or KSKs.
section 4
---------------------------------------------------------------------
"updating that information" -> "update that information"
section 4 and trust anchor repositories
-------------------------------------------------------------
Section 4 is remiss in not mentioning obtaining keys via a third party
trust-anchor-repository. The "Trusted update mechanism" or "Manual
configuration" should probably explicitly mention keys obtained from
TARs because they're looking to be popular.
--
"In the bathtub of history the truth is harder to hold than the soap,
and much more difficult to find." -- Terry Pratchett
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
