I have a comment about section 4.1.4. Rollover for a Single Type Signing Key rollover.
The following simple scheme doesn't seem to be covered. (1) Introduce new key DNS_K_2 (2) Add DS record for DNS_K_2 to parent zone. (3) Wait for DNS_K_2 and it's DS record to propagate. (4) Stop signing with DNS_K_2, start signing with DNS_K_1 (5) Wait for DNS_K_2 signatures to propagate. (6) Remove DNS_K_1 from child it's DS record from parent. This has the advantage of minimising the size of the signed DNSKEY response, to 2 x DNSKEY and 1 x RRSIG, and doesn't involve double signatures. It is double-DS, but given that DS records are relatively small, this may be a lesser consideration, whereas the size of the DNSKEY response is most likely to be affected by fragmentation/TCP fallback considerations. George Barwood _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
