Document: draft-ietf-dnsop-ds-automation
Title: Operational Recommendations for DNSSEC Delegation Signer (DS) Automation
Reviewer: Peter van Dijk
Review result: Ready with Nits
Hello!
I am the assigned reviewer from the DNS Directorate for this revision (05) of
the draft.
This is a solid document. My concerns are tiny. Please find them below.
```
Parent (DNS operator): The DNS operator responsible for a Parent
zone and, thus, involved with the maintenance of the delegation's
DNSSEC parameters (in particular, the acceptance of these
parameters and the publication of corresponding DS records).
```
The Parent (the party responsible for the Parent zone) is the Registry. The
Registry is not necessarily the DNS operator ("entity responsible for running
DNS servers", RFC9499), so "DNS operator" seems wrong to me here.
In other places in the document, DNS Operator is also used to refer to the
manager of the child zone. This also seems wrong to me.
I note that the title of 9615 uses "Zone Operator" which seems right to me. I
also note that the body of 9615 consistently uses "DNS Operator". It seems this
ship may have sailed.
```
2. Parent-side entities (such as registries) SHOULD reduce a DS
record set's TTL to a value between 5–15 minutes when the set of
records is changed, and restore the normal TTL value at a later
occasion (but not before the previous DS RRset's TTL has
expired).
```
Why is the previous TTL relevant to deciding how long to wait?
```
3. Child DNS operators SHOULD be notified using a report query
[RFC9567] to the agent domain as described in Section 4 of
[RFC9859].
```
Does 9567 apply only in error cases, or also in success cases?
thus being ignored.
I suggest "causing all of them to be ignored"
Section 5.2 lists "situations of particular interest" and "conditions worthy of
being reported". Then, "justified to attempt communicating" is linked to
"reportworthy cases". If this indeed is meant to refer to only cases 3 and 4, I
recommend being more explicit than repeating the term "reportworthy cases". If
it is supposed to refer to the entire set, repeating the term is confusing.
I only mention section 6 to point out how well-considered all the reasoning in
it is. Very good work.
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
