Re: [DNSOP] CDS and/or CDNSKEY

Fri, 11 Oct 2013 00:53:00 -0700 

On 5. 10. 2013, at 20:55, Warren Kumari <[email protected]> wrote:
> Filename:      draft-kumari-ogud-dnsop-cds
> Revision:      05
> Title:                 Automating DNSSEC delegation trust maintenance
> Creation date:         2013-10-05
> Group:                 Individual Submission
> Number of pages: 17
> URL:             
> http://www.ietf.org/internet-drafts/draft-kumari-ogud-dnsop-cds-05.txt
> Status:          http://datatracker.ietf.org/doc/draft-kumari-ogud-dnsop-cds
> Htmlized:        http://tools.ietf.org/html/draft-kumari-ogud-dnsop-cds-05
> Diff:            
> http://www.ietf.org/rfcdiff?url2=draft-kumari-ogud-dnsop-cds-05
> 
> Abstract:
>  This document describes a method to allow DNS operators to more
>  easily update DNSSEC Key Signing Keys using DNS as communication
>  channel.  This document does not address the initial configuration of
>  trust anchors for a domain.  The technique described is aimed at
>  delegations in which it is currently hard to move information from
>  the child to parent.


I fully support this to go ahead, although I disagree with some parts of the 
document.

One (not so strong) thought – it might be actually good to split the 
"requirements" and the "protocol" part into separate documents.

E.g. split sections 1 and 2 (+ Appendix A) to separate 'Informational' document 
and create new 'Standards' document from the section 3 to the end of the 
document.

Some other comments:

Section 6.2 second paragraph:

I would add an recommendation to check the CDS/CDNSKEY value for 
<n>-consencutive CDS/CDNSKEY TTL times to ensure that the change is valid.  
(Where <n> is something like <2,...> per parent local policy).

Section 6.3 third paragraph:

The usual mechanism is the NOTIFY email in the registry, and the owner of the 
object is notified of any change of the affected object.  Thus it seems to me 
that this paragraph is not needed.

Otherwise lgtm.

O.
--
 Ondřej Surý -- Chief Science Officer
 -------------------------------------------
 CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
 Americka 23, 120 00 Praha 2, Czech Republic
 mailto:[email protected]    http://nic.cz/
 tel:+420.222745110       fax:+420.222745112
 -------------------------------------------

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to