Re: [dnsop] I-D ACTION:draft-ietf-dnsop-key-rollover-requirements-02.txt

[Gilles Guette]

Miek Gieben wrote: [On 20 Jan, @ 09:07, Gilles wrote in "Re: [dnsop] I-D ACTION:draft-i ..."] Hello, the new version of the draft is now available. We have taken into account remarks, principally these from samuel Weiler and Rip Loomis, and include a document changes section. [I've not thoroughly reviewed this draft, just a quick read of the diff from 01->02] But I have a question. Where does this draft fit in? Taking into account that dnssec-operational-practice-03 also deals with key rollovers. And that epp-secdns tries to get a handle on what to send to your parent zone during updates. This draft is a requirement draft, thus the goal is to explicitely describe automated key rollover problems. We think that automated rollover is under treated in operationnal practice and some problems must be exposed. For example: Automated rollover parameters negociation between parent and child Possible manual changes during an automated rollover Key rollover process fault tolerance and consistent state of the chain of trust. Or more specifical: Direct query to authoritative name server avoiding recursive cache server. Concerning the protocol used to exchange data between parent and child, we agree that EPP can indeed be used. But, maybe other people want to use another protocol like DNSSEC, IPsec, ... That is why, we think this draft is enough original and pointed some problems not treated in other drafts or RFCs. Regards Regards, Miek -- Gilles Guette IRISA/INRIA Rennes France