On 23/03/2010 21:42:58:, "Fredrik Ljunggren" <fred...@kirei.se> wrote:
Hi,
This draft was adopted by the working group at the meeting in Hiroshima.
Since then there has been very limited feedback on the document. A handful
of people volunteered to review the draft, and I encourage them and others
with interest in this to read and provide any feedback they may have.
This update contains mainly editorial changes which are not material.
regards,
-- Fredrik
(No hat)
I have now gone through the -01 draft in some detail. There are a
number of minor nits that I have passed to the authors directly. Most
of the comments below concern the concepts section (section 3):
* Section 3.1 talks about a DPS, and 3.2 the relationship between a
DNSSEC Signing Policy and a Practice Statement. I think that the idea of
a Signing Policy should be explained before discussing the relationship
between the two.
* Section 3.2 discusses when a DPS's terms have a binding effect as a
contract. IANAL, but is it wise to give what could be construed as
legal advice in a draft? (The same goes for the much of section 4.8).
* I found section 3.3 (which talks about sets of provisions) confusing.
It makes the the whole thing more difficult to understand and seems to
be unnecessary. Wouldn't it be easier to say that a Practice Statement
will address one or more signing policies, and may include information
that is relevant to DNSSEC operations but not a requirement of any
policy? Then retitle section 4 as something like "Suggested Contents of
a DNSSEC Practice Statement".
* Is there a need to prove possession of a private key (4.3.5)? A DS
record can be put in the parent zone without a corresponding KSK in the
child; in these circumstances, how significant is it that the child can
produce the KSK?
* Some of elements in physical controls section (4.4.1), and in the
disaster recovery section (4.4.5), though necessary, are probably
already in a separate disaster recovery plan for the installation. The
DPS only need make a reference to it.
Overall, I think it is a useful document; writing a signing policy and
practice statement before the introduction of DNSSEC will help to focus
the mind on getting things right first time.
Stephen
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop