Greetings. I had a brief discussion with Olaf Kolkman about some
deficiencies in RFC 4641, and he agreed to revise the document if the
WG is interested. This message is to start gauging interest in that
task.
I started reading RFC 4641 when I was on the panel at ICANN that
reviewed PIR's proposal to start signing .org. I am not a DNSSEC
operator (yet), so I came to the document with a novice's eyes. There
are three areas which I found problematic:
- The cryptography that got added after WG LC is flawed. The
calculations of appropriate key sizes starts with solid numbers
(quoted from an RFC that Hilarie Orman and I wrote) and then quick
falls into handwaving. It can be greatly simplified.
- The discussion of key rollover times has no justification for the
times chosen. There is no discussion of the attacks that the rollover
is trying to mitigate. Such a discussion would help a zone decide
that zone's rollover policies.
- It is not clear when the document is talking about publishing keys
as trust anchors and when it is talking about publishing them in a
signed parent zone. These two scenarios are vastly different,
particularly with respect to key rollover.
Olaf agreed that there may be more operational input from people who
are currently deploying DNSSEC, and that this document might be ripe
for a renewal even though it is less than two years old. How do
people in the WG feel about this?
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop