Dan,
I read your draft and I have a concern. The document makes a lot of
observations about the current state of DNSSEC implementation, so I am
afraid that this publication gets outdated quickly.
So I do think it's a good idea to highlight which pieces in the DNS
infrastructure needs attention when deploying a new DNSSEC algorithm, I
doubt that current limitations must be mentioned.
I am also not sure if the IETF is the appropriate place for this
document, or that it would feel more at home within the RIPE/NANOG/...
community.
Some more comments about the text:
In section 2.1.1 there is a note on an in 2016 standards non-compliant
resolver. Having RFCs (to be) note that other RFCs are not safe to
assume its implemented is a bit ridiculous to me. It is a given that
there are bugs, and thus it can be said of any RFC that it is not safe
to assume it is implemented correctly. I suggest to drop the paragraphs
starting from "Note that at least one in 2016 case..."
In section 2.2 it says authoritative servers should be able to serve new
crypto algorithms with no adjustment to the code, except for NSEC/NSEC3
responses. If it's signing algorithms you are talking about, these
should also be agnostic right? If it's the hashing algorithm you are
talking about, then the "NSEC" mentioning should be removed. In other
words, this paragraph needs clarification.
In section 2.3 there is an identified issue that not all signing
software supports algorithm rollover. This is an observation that can
quickly go out to date and I suggest removing it.
Best regards,
Matthijs
On 15-11-16 13:41, Dan York wrote:
As mentioned at the very end of DNSOP, Olafur Gudmundsson, Ondrej Sury,
Paul Wouters and I have a draft published that aims to document the
steps involved with deploying a new cryptographic algorithm for DNSSEC.
The overall goal is to make it easier to get new DNSSEC crypto
algorithms deployed, both through documenting existing steps - and then
potentially building off of this work with new documents to improve
some of the steps. Right now we'd like to get ECDSA out, but EdDSA is
coming out soon and it would be great to get that deployed sooner rather
than later.
As I said in the session, we'd like to get reviewers and then get the
document adopted by the WG and moved along toward publication.
The draft is at either of:
https://datatracker.ietf.org/doc/draft-york-dnsop-deploying-dnssec-crypto-algs/
https://tools.ietf.org/html/draft-york-dnsop-deploying-dnssec-crypto-algs-04
Please send any comments to the list or to us as authors.
I also am maintaining this over in Github
at: https://github.com/danyork/draft-deploying-dnssec-crypto-algs If
you are a Github user you are welcome to file an issue there or send
text in a pull request.
Regardless, we'd just like any feedback (even if to say that it looks good).
Thanks,
Dan
--
Dan York
Senior Content Strategist, Internet Society
y...@isoc.org <mailto:y...@isoc.org> +1-802-735-1624
Jabber: y...@jabber.isoc.org <mailto:y...@jabber.isoc.org>
Skype: danyork http://twitter.com/danyork
http://www.internetsociety.org/
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
