Hi Warren, On 14 Jan 2018, at 20:51, Warren Kumari <war...@kumari.net> wrote:
> I had a conversation with a friend earlier today, who had carefully read the > document > (https://datatracker.ietf.org/doc/draft-ietf-dnsop-kskroll-sentinel/), but > had not managed to understand it at all. Since this friend is bright, and > really understands DNS, I figured that the document doesn't do as good a > job explaining how this would be used in practice as it should. Sometimes it > is easier to explain things in an informal manner, and so here is a > (hopefully better) description of draft-ietf-dnsop-kskroll-sentinel). > > 2 things seemed to be causing confusion: I think the document would benefit from some explicit advice for zone administrators and some explicit requirements for validating resolvers, and having them both separated into obviously-distinct sections. An example of a specific experiment would also be useful. A careful review of some of the terminology would also probably help. At the moment the text contains contains phrases like "query name that is signed with a DNSEC signature" that I think adds to the ambiguity and confusion (query names are not signed; RRSets are signed, and the corresponding part of an RRSet to a QNAME in the sense that I think is intended is an owner name). I definitely agree that even with some prior idea of what this mechanism is trying to do (and some prior exposure to the geoffsperiments that provide context) this draft is quite hard to understand. The small handful of slides I saw Geoff present about this seemed far easier to understand than the draft, in fact. I would be happy to suggest text if that seems useful, but I haven't done that here since it seems likely that other text changes are already in the pipeline, based on reviews on this list so far. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
