Hi, I went through the draft http://tools.ietf.org/html/draft-jabley-dnssec-trust-anchor-07 and have a comments and questions.
Section provides 3 urls example with the key work "key-label". Maybe it would be helpful to designate it as "key-digest-id" as we get it from the following line: <KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00"> Then I have other questions regarding the format of the certificate. Maybe some text should be added to clarify these points. 1) Why KeyUsage is not specified. This field is Critical, and I would have expected to have these two values: digitalSignature (0) and nonRepudiation (1), as it signs the ZSK. 2) Why do not you use a Subject Alternative Name with the DNS name = the fqdn of the zone. This informational field would bind the KSK with the zone. The CN string format "Root Zone KSK 2010-06-16T21:19:24+00:00", could be considered as a description. 3) Is there any reasons to put CN "Root Zone KSK 2010-06-16T21:19:24+00:00" instead of the exact name of the zone, i.e in our case: "." 4) What are the motivations for resourceRecord? Is that to specify the usage and the Subject Alternative Name? I understand it as a private attribute. Am I right? Best Regards, Daniel -- Daniel Migault Orange Labs -- Security +33 6 70 72 69 58
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
