On Oct 5, 2021, at 12:16 PM, Benjamin Kaduk via Datatracker <[email protected]> wrote: > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thanks to Dan Harkins for the secdir review, and the authors for the > corresponding updates. > > Section 1 > > DNSSEC is primarily described in [RFC4033], [RFC4034], and [RFC4035]. > DNSSEC commonly uses two resource records beyond those defined in RFC > 4034: DS [RFC3658] (which was obsoleted by RFC 4034) and NSEC3 > [RFC5155]. > > I'm a bit confused at how DS is "beyond those defined in RFC 4034" when > RFC 4034 includes discussion of DS, the record format, etc.
Thank you; no one else noticed this. I've replaced it with:
DNSSEC is primarily described in {{RFC4033}}, {{RFC4034}}, and {{RFC4035}}.
DNSSEC commonly uses another resource record beyond those defined in RFC 4034:
NSEC3 {{RFC5155}}.
DS resrouce records were originally defined in {{RFC3658}}, and that definition
was obsoleted by RFC 4034.
> Section 4
>
> In the "Domain Name System Security (DNSSEC) NextSECure3 (NSEC3)
> Parameters" registry, the registration procedure for "DNSSEC NSEC3
> Flags", "DNSSEC NSEC3 Hash Algorithms", and "DNSSEC NSEC3PARAM Flags"
> are changed from "Standards Action" to "RFC Required".
>
> I note (this is a "comment", after all, right?) that the "flags"
> registries have only 7 values available. It is not entirely clear to me
> that the IESG would be justified in using an RFC 5742 conflict-review
> response to try to block any frivolous registration attempts made in
> non-IETF-stream RFCs, but maybe we are willing to place confidence in
> the other streams' managers behaving responsibly and otherwise accept
> this risk.
I think so, yes.
>
> NITS
>
> Section 2 only talks about "DS or NSEC3 hash algorithms" but the actual
> registry actions also cover the NSEC3{,PARAMS} flags registries.
Good catch. I'll update that sentence to talk about all the registries.
--Paul Hoffman
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
