I have a comment regarding the KSK rollover with the "Double-DS" method, section 3.3.2.
The ICANN draft procedure for submitting DS to the root zone require that: "At the time of the trust anchor request, there must be a DNSKEY that matches the DS record present in the child zone. This will be tested for the presence of a matching DNSKEY record as part of the implementation of the record. As with most technical conformance criteria for the root zone, if a top-level domain operator has a situation where this is not the case, but this is by design and can be demonstrated not to affect the stability of the TLD or the root zone, it is possible to request that the trust anchor be listed regardless." [1] But in the Double-DS timeline the DS is submitted in Event 2, and the key "could be" introduced in Event 4. I think it is safe to publish the key N even before Event 2 (but not activate it before Trdy). And like the root procedure, it could be recommended to do this way for any zone whose parent requires a published-matching-key along with the DS submission. Regards, Hugo Salgado [1]: page 2 of "Placing TLD trust anchors in the root zone" (PDF doc) <http://www.root-dnssec.org/wp-content/uploads/2010/05/draft-trust-anchor-procedure.pdf> [email protected] wrote: > A new version of the DNSSEC key timing draft has been submitted. > Amongst the changes, timings for additional KSK and ZSK rollover > methods have been included following feedback from the IETF meeting in > Hiroshima. > >> A new version of I-D, draft-morris-dnsop-dnssec-key-timing-02.txt has > been >> successfuly submitted by Stephen Morris and posted to the IETF repository. >> >> Filename: draft-morris-dnsop-dnssec-key-timing >> Revision: 02 >> Title: DNSSEC Key Timing Considerations >> Creation_date: 2010-03-05 >> WG ID: Independent Submission >> Number_of_pages: 35 >> >> Abstract: >> This document describes the issues surrounding the timing of events >> in the rolling of a key in a DNSSEC-secured zone. It presents >> timelines for the key rollover and explicitly identifies the >> relationships between the various parameters affecting the process. > > The draft can be found at > http://tools.ietf.org/html/draft-morris-dnsop-dnssec-key-timing-02 > > Stephen > > > ------------------------------------------------------------------------ > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
