Matthijs Mekking <[email protected]> wrote: > Most of your points look OK to me though I have not yet reviewed the document in detail. I have a disagreement and a suggestion:
> * Section 2.1. ZSK Rollovers > > - Bullet point 2, second paragraph. "Once the signing process is > complete and enough time has elapsed to allow all old information to > expire from caches, ...". It is actually more about the new information > to propagate to caches, so I would suggest to replace it with: > > Once the signing process is complete and enough time has elapsed to > allow all new information to propagate to caches, ... > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ No, I think the original text is correct. You can't remove the old DNSKEY until all the old RRsets (and RRSIGs) have expired, and you can't remove the old RRSIGs until the old DNSKEY RRsets have expired. Whether the caches have the new data is irrelevant since it's also OK for them to have no data. And when caches are filled is not under the authority's control. > - Bullet point 1 says that the ZSK Double Signature rollover is also > known as Double-DNSKEY. I have not heard of this term before reading > this document. Is it really known as? Double-KSK would be a better term, since Double-DNSKEY sounds like the normal steady state with a KSK and ZSK. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
