-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi WG,
Review from Stephen and Peter resulted in a new version of DNSSEC Operational Practices, Version 2. Besides editorial changes, the most important changes are: * The third school of thought for rolling a KSK that is not a trust anchor (in section 3.2.1), that it should only be done when it is known or strongly suspected that the key can be or has been compromised, is extended with: or when a new algorithm or key storage is required. * In section 4.1.1.2 on Double Signature Zone Signing Key Rollover, a recommendation on the duration on the "new DNSKEY" phase was removed, it was being too conservative. * Section 4.3.5.1. on Cooperating DNS operators adds clarifying text for Figure 9: Rollover for cooperating operators. * An additional, clarifying diagram for the alternative approach on rollover for cooperating operators is given in Figure 14, Appendix D. Best regards, Matthijs On 02/14/2012 11:46 AM, [email protected] wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. This draft is a work item of the Domain Name System > Operations Working Group of the IETF. > > Title : DNSSEC Operational Practices, Version 2 Author(s) > : Olaf M. Kolkman W. (Matthijs) Mekking Filename : > draft-ietf-dnsop-rfc4641bis-09.txt Pages : 70 Date > : 2012-02-14 > > This document describes a set of practices for operating the DNS > with security extensions (DNSSEC). The target audience is zone > administrators deploying DNSSEC. > > The document discusses operational aspects of using keys and > signatures in the DNS. It discusses issues of key generation, key > storage, signature generation, key rollover, and related policies. > > This document obsoletes RFC 4641 as it covers more operational > ground and gives more up-to-date requirements with respect to key > sizes and the DNSSEC operations. > > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-ietf-dnsop-rfc4641bis-09.txt > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > This Internet-Draft can be retrieved at: > ftp://ftp.ietf.org/internet-drafts/draft-ietf-dnsop-rfc4641bis-09.txt > > _______________________________________________ DNSOP mailing > list [email protected] https://www.ietf.org/mailman/listinfo/dnsop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPOjxkAAoJEA8yVCPsQCW5AH0H/AyvPq0j8IZ2mgbh7B03I9ES jn75pcNuWfP1Cmk62BvuZKO1ij4geDYS6PlX0Lyyk+uJpkBn/ataRABfm0BnpOyp ermVMEHyZs7n7bld6N1GuUXKRVADFT+jxZ5ZtovUu+2Ft6+RgERNsC+3B4g0NBfl UaawuOo3hZ29JYu0aofIk4oI1j2ARhiJ39j4MN4/6iYSEygdH/qW5hirg2MdnImR lhkNVA+uynhb0ZhLEop6R6yG8DsIilGHlg6nQ8yk/dJfvkAtsKrcQXXJxBH6Sh7N /8SieCLLlXnCym46r41O/tKkT/JVWk146CPSkX7n/tbRGELEOJF4xzzy5B4GS8U= =m7XX -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
