On 11 April 2017 at 15:27, Carl Clements <[email protected]> wrote:
> > There is one detail that I feel is not explicit enough in 6781 that is > extremely relevant during a DNSSEC operator migration. It is assumed in > this document that DNSKEY_*_A and DNSKEY_*_B use the same signature > algorithm. That assumption is derived from the implication that this > document describes a Double-DS KSK rollover, which is incompatible with > an algorithm rollover even with the liberal approach to Section 2.2 of > RFC 4035 <https://tools.ietf.org/html/rfc4035#section-2.2>. I think it > would be helpful to at least reference this implication in section 2.1 of > your draft. > This is an excellent point, and I'll add that to the doc ... likely in the assumptions for now. More below. > > My other thought is regarding the instruction to pre-publish DNSKEY_K_B > and post publish DNSKEY_K_A. As far as I can tell, and we have discussed > this a little out of band, the only value provided by publishing and > signing this KSK is to satisfy any over-conservative DS checks performed by > the maintainers of the parent zone. The essential chain of trust "cross > pollination" is that both DNSKEY_Z_A and DNSKEY_Z_B are signed by the > either KSK. > Yeah, the procedure as described in the doc currently is a little over-cautious with key handling. It's mainly to simplify the description of requirements, but I'm planning to change the way it's written out. One piece of feedback I've received privately is that the document could benefit from having the *requirements* for a clean transfer spelled out, and that the procedure be included as an example, possibly of the shortest path to meet the requirements. I think that bit of reorganization would help with the explanation of when it's actually important to pre/post-publish keys, and coincidentally provide a good place for your note about algo compatibility to live. I've been working on text, but it's been a busy few months so I'm not quite ready to roll -03. > Lastly, it looks as though you opted to spell out TTL waits, for example. > For what is it worth, I am in favour of this choice. > > I added that in -02 with the long-form description of the procedure. Given that the intended audience is not intended to be able to work out this procedure on their own, I thought it was important to be as explicit as possible. Thanks for the feedback!
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
