-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi again,
On 04/19/2011 02:56 PM, Antoin Verschuren wrote: > On 18-04-11 19:41, Peter Koch wrote: > >> Please review the document and send any comments you may have to the >> list. If you have no comments but support (or do not support) the >> document being published, please send that information to the list. > > More comments: > > Section 4.1.2 last paragraph: > "In this mechanism, there are periods where there are two DS > RRs at the parent. Since at the moment of writing the protocol for > this interaction has not been developed, further discussion is out of > scope for this document." > > This is strange, as the Double DS rollover mechanism is used furtheron > in the document in section 4.1.3 figure 5. I think this text is a > leftover from a previous version. It is true that an automated rollover > with an in-band interaction has not been developped yet, but this text > seems to sugest that Double-DS has not been invented yet. > And if such interaction were developped, this should be discussed in > section 4.1.3 where Double-DS is defined, as this is what the > interaction is trying to automate. > > When I take section 4.3.5 into considderation, I think that the > Double-DS mechanism is almost mandatory for a parent to implement, > otherwise you cannot accomodate secure child dns operator changes. > Since this mechanism can also be used for regular rollovers, as section > 4.1.3 describes, I think Double-DS will be the default rollover > mechanism, and double signature only an alternative that will not be > deployed by all parents like registries that need to implement these > procedures. They will want to stick to one size fits all. I don't think the Double-DS is mandatory, you can still accommodate the secure child dns operator change with the ZSK Pre-Publish/ KSK Double-Signature approach (Figure 9). > Sugestion: Remove the last paragraph of section 4.1.2 starting at "An > alternative mechanism has been considered." > There's no use in discussing something that doen't excist yet. Consider it done. > section 4.1.3: > "A zone key rollover can be handled ...." > Please use the same syntax: > "A ZSK rollover can be handled..... " > It's less confusing. Ok. > Section 4.1.4 last paragraph: > "Since this > leads to increase in zone and packet size at both child and parent > there are little benefits to a Double-DS rollover with a Single Type > signing scheme." > Same as above. > A Double-DS rollover is the only rollover mechanism you can use during a > secure dns operator change. Even with a Single Type signing scheme. As I said above, it's not. Best regards, Matthijs _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNrqIbAAoJEA8yVCPsQCW58voH/0KeQm0/IBXLND6mhR1+JOvW pFh3Lu6PYb8lipa+/Cf/V0Sh5dlzqYOiwpDwBX3j1AfH6CDWuZsa6dAWhZS5B8YW jL5WGnxfHJuOuy5Rd5fPup0dxIoxY1BSrYPy4pb0jra4cs8PEZe7m9vORIlwonw3 pkBBD9GxG4Zlf7FGacy7m5Jw8zhW2dWU2sBYUEVVzD+5FKcNPnIW1dnQuF+3SXMX CZwQ1OoaJ/V9biIawJivJttfWCNIXd/tihMb+NXgsiEkvsNsNL5Gkr461/FeXMvA I2TNO+DHzSwoHkPaurS08sVZsBrWErG30AqCdjerOnAY7R9xQihaQV/IaLVAcko= =NvfN -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
