I have read the doc and support it. Some minor comments/suggestions based on Ed's message:
Edward Lewis wrote: > At 20:13 +0200 4/22/09, Peter Koch wrote: >>this is to initiate a working group last call on >> >> "DNSSEC Trust Anchor Configuration and Maintenance" >> draft-ietf-dnsop-dnssec-trust-anchor-03.txt >> >>ending Friday, 2009-05-08, 23:59 UTC. The tools site gives easy access to >>diffs and such under > #3. Trust Anchor Priming > ... > # 3. Verify that the DNSKEY RR corresponding to the configured trust > # anchor (i.e., the DNSKEY whose hash is configured) appears in the > # DNSKEY RRSet and that this DNSKEY RR has the Zone Key Flag > # (DNSKEY RDATA bit 7) set. (This bit only indicates that the > # DNSKEY is allowed to sign the zone. This DNSKEY may or not be a > # zone signing key.) > > Last sentence? - "This DNSKEY might not be a zone a zone signing key.") > > But I'm not sure what is meant. At first the paragraph reads - make > sure the Zone Key Flag is set and later says it "may or [may] not be a > zone signing key." > I might suggest the last two sentences read: (This bit only indicates that the DNSKEY is allowed to sign zone data. This DNSKEY may or may not be a zone signing key (ZSK) as defined in RFC 4641 [RFC4641]) If the intention was that the trust anchor may be a ZSK or a KSK, but they must have the zone signing bit set either way. Then have RFC 4641 as a ref. Although with RFC4641-bis being worked on, that may quickly become dated... Also, as Paul pointed out, it looks like Paul and I are one person with a long name. :) Scott -- ---------------------------------------- Scott Rose Computer Scientist NIST ph: +1 301-975-8439 scott.r...@nist.gov http://www-x.antd.nist.gov/dnssec http://www.dnsops.gov/ ----------------------------------------- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
