Paul,
On 04/02/2015 04:13 PM, Paul Hoffman wrote:
On Apr 2, 2015, at 12:32 AM, Matthijs Mekking
<matth...@pletterpet.nl> wrote:
Actually I think $DEFAULT_TTL should be in Zones too as it only
exists in zone files.
Sorry I meant $TTL here from RFC 2308. My point is that it is something
that can be set in zone files, so "default ttl" should be in the section
about Zones.
This does not seem to be a commonly used term, does it?
Should we also define zone enumeration?
Only if we agree on a definition. Proposal?
Perhaps we can quote RFC5155 here:
Zone enumeration is enabled by the set of NSEC records that exists
inside a signed zone. An NSEC record lists two names that are
ordered canonically, in order to show that nothing exists between
the two names. The complete set of NSEC records lists all the
names in a zone. It is trivial to enumerate the content of a zone
by querying for names that do not exist.
Yeah, I realized that after I sent the message last night, and
already put it in the pre-draft. I tweaked a bit because we have
definitions for NSEC and NSEC3 as well, and now the considerations
from NSEC5.
On page 13 KSK and ZSK are described. There is also a notion of
a Combined Signing Key (CSK) [1]. In RFC 6781 this is called a
Single-Type Signing Scheme: "In cases where the
differentiation between the KSK and ZSK is not made, i.e.,
where keys have the role of both KSK and ZSK, we talk about a
Single-Type Signing Scheme." Would it be worth to add this term
to this document?
That seems to be a very new term, maybe premature for this
document.
I disagree: We have been talking about this in DNSOP for years,
also referred to as Combined Signing Key (CSK).
The term "combined signing key" doesn't appear in any RFC, and "CSK"
only appears once, in RFC 5155 as part of a octet string. :-)
I think it is important that people who read this terminology
realize that a key can be a KSK and ZSK at the same time.
Fully agree.
Think of a key as an actor and Key-signing and Zone-signing as
roles: An actor can have multiple roles.
I can be talked into not adding this term to this document but then
I would like to see one additional line, something like:
The roles KSK and ZSK are not mutually exclusive: A single key can
be both KSK and ZSK at the same time.
That seems fine. If either CSK or Single-Type Signing Scheme become
more common terms, we can add them to an updated RFC.
Fair enough.
Best regards,
Matthijs
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
