On Feb 19, 2013, at 4:00 PM, Paul Wouters wrote: > > >> 5) (this is tricky !) Security section states : "not for initial enrollment" >> Why not ? > > There is no path of trust! >
+1, I think the draft should keep the recommendation that this is not for initial enrollment. One other comment in Section 5.1, last paragraph: If the child zone does go unsigned, the parental agent should not (or SHOULD NOT) treat that as intent to go unsigned since that could be an attack. An attacker could spoof unsigned responses to queries from the parental agent in an attempt to force a break in the DNSSEC chain. We had this discussion on how to respond to signed .gov zones that erred and stripped their own RRSIGs/DNSKEYs. Minor quip: Section 4: 'It is conceivable that this could be a "value added" service"' Really doesn't belong in a protocol spec and really doesn't add anything. Suggest dropping it. Registrars/service providers can figure that out on their own (if they haven't already). Scott > Paul > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop =================================== Scott Rose NIST [email protected] +1 301-975-8439 Google Voice: +1 571-249-3671 http://www.dnsops.gov/ =================================== _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
