Sam Weiler and Wes Griffin asked for some additional eyes on this document;
here are my
comments, mainly editorial.
Entire document: decide if you will use re-sign or resign, and use that
everywhere
Introduction
first para, last sentence
replace comma with semi-colon after "production environments"
At the
time of writing, there exists very little experience with DNSSEC in
production environments; this document should therefore explicitly
^^^
not be seen as representing 'Best Current Practices'.
third para, second sentence
replace comma with semi-colon after "in Section 3"
Aspects of key generation and storage of private keys are discussed
in Section 3; the focus in this section is mainly on the private part
^^^
same para, fourth sentence
replace "these" with "which"
old version:
Since these public keys appear in the DNS
one has to take into account all kinds of timing issues, these are
discussed in Section 4.1. ^^^^^^^
suggested version:
Since these public keys appear in the DNS
one has to take into account all kinds of timing issues, which are
discussed in Section 4.1. ^^^^^^^^^
same para, fifth sentence
I believe you mean "supercession", as in "supercedes", not "supersession".
Section 1.2 Time Definitions
third bullet, first sentence
old version: "The period during a key pair is effective"
suggested version: "The period during which a key pair is effective
^^^^^
same section, same bullet, last sentence
old version: "The key effectivity period can span multiple signature validity
intervals."
suggested version: "The key effectivity period can span multiple signature
validity periods."
It seems sensible to use "signature validity period" since you just defined that
term above....
Section 2
para 2, first (only) sentence
old version: "...such as resigning or key rollovers, be transparent...."
suggested: "...such as resigning or key rollovers, will be transparent...."
^^^^
Section 2
para 5, second sentence, just removing a comma
old version:
This is most
obvious in the case of a 'key compromise' when a trade off between
maintaining a valid chain of trust and replacing the compromised keys
as soon as possible, must be made.
^^^
suggested version:
This is most
obvious in the case of a 'key compromise' when a trade off between
maintaining a valid chain of trust and replacing the compromised keys
as soon as possible must be made.
second suggestion, add a comma:
This is most
obvious in the case of a 'key compromise' when a trade off, between
^^^
maintaining a valid chain of trust and replacing the compromised keys
as soon as possible, must be made.
Section 3.1
first para, third sentence
Replace "Singing" with "Signing"
This is the first instance of the acronym SEP, need to expand it here.
old version:
In practice operators
use Key Singing and Zone Signing Keys and use the so called SEP flag
to distinguish between them during operations.
suggested version:
In practice operators
use Key Signing and Zone Signing Keys and use the so called
^^^^^^^
Secure Entry Point (SEP) flag to distinguish between them during operations.
^^^^^^^^^^^^^^^^^^^^^^^^
Section 3.1
second para, first sentence
break up into two sentences, unpluralize rollover
old version:
To make zone re-signing and key rollovers procedures easier to
^
implement, it is possible to use one or more keys as Key Signing Keys
(KSK) these keys will only sign the apex DNSKEY RR set in a zone.
^^^^
suggested version:
To make zone re-signing and key rollover procedures easier to
^^^
implement, it is possible to use one or more keys as Key Signing Keys
(KSK). These keys will only sign the apex DNSKEY RR set in a zone.
^^^^^
same section and para
use of SEP no longer the first instance, can remove expansion of the term
old version: "...configuration as trusted anchors - the
so called Secure Entry Point keys (SEP)."
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
suggested version: "...configuration as trusted anchors - the
SEP keys.
^^^^^^^^^^^
Section 3.1.1
first para after the bullets
first sentence, break into two sentences, add "the", pluralize last ZSKs.
old version:"The KSK is used less than ZSK, once a key set is signed with the
KSK
^^^
all the keys in the key set can be used as ZSK."
^^^
suggested version:"The KSK is used less than ZSK. Once a key set is signed with
the KSK
^^^^^
all the keys in the key set can be used as ZSKs.
^^^
Section 3.1.2
final para, final sentence
needs an additional word in there, not sure if it should be "for" or "of"
old version:"Securely updating the trust anchors an enormous population
^^^
of resolvers around the world will be extremely difficult.
suggested version:"Securely updating the trust anchors for an
^^^^^
enormous population of resolvers around the world will be extremely
difficult.
Section 3.3
first para, last sentence
"no body" should be "nobody"
Section 3.4
third para, second sentence
old version:"The creation of signatures creation
^^^^^^^^
is roughly the same speed as with RSA, but is 10 to 40 times as slow
^^^^^^^
for verification [11]."
suggested version: "The creation of signatures
^^^^^^^
is roughly the same speed as with RSA, but is 10 to 40 times slower
^^^^^^
for verification [11].
Section 3.5
last para, second sentence, needs some semi-colons
old version: "For RSA,
verification, the most common operation, will vary roughly with the
square of the key size signing will vary with the cube of the key
^^^
size length, and key generation will vary with the fourth power of
^^^
the modulus length.
suggested version: "For RSA,
verification, the most common operation, will vary roughly with the
square of the key size; signing will vary with the cube of the key
^^^
size length; and key generation will vary with the fourth power of
^^^
the modulus length.
Section 4.1.1
first sentence
change period at end to colon.
old version: "....one should consider the following."
suggested version: "....one should consider the following:"
Section 4.2
first para, second sentence
change "supersession" to "supercession"
Section 4.2.1
second para, last sentence.
Just sounds very odd; I'm not sure what the meaning is.
Section 4.2.1
last para, fourth sentence
old version: "If in this case, the key set TTL expires, and the cache
queries for the zone again, it will get back the new key set signed
by DNSKEY2."
suggested version: "In this case, if the key set TTL expires, and the cache
queries for the zone again, it will get back the new key set signed
by DNSKEY2."
Section 4.2.2
first para, second sentence
old version: "One schema uses double signatures, it is described
in Section 4.2.2.2, the other uses key pre-publication (Section
4.2.2.1)."
suggested version: "One schema, described in Section 4.2.2.2, uses double
signatures;
note
semicolon ^^
the other uses key pre-publication (Section 4.2.2.1)."
Section 4.2.2.2second para, last sentence
old version: "caches will need to expire, this will take at least the
^^^^^^^^^^^^^^
maximum Zone TTL ."
^^
suggested version: "caches will need to expire, requiring at least the
^^^^^^^^^^
maximum Zone TTL."
^^ extra space removed
Section 4.2.3,
paragraph "roll:" last sentence
"parents" should be "parent's"
Section 4.2.3
last para, second sentence
old version: "It also is based on the premises hat...."
suggested version: "It also is based on the premise that...."
^^^^
Section 4.2.4
first sentence
change "there are some motivation" to "there is some motivation"
Section 4.3.3
third para, first sentence
old version: "End-user faced with the task of updating anchored key should...."
suggested version: "End-users faced with the task of updating an anchored key
should...."
^^^ ^^^^Section 4.4.1
second para, second sentence
change both semicolons to commas
Section 4.4.4
first para, first sentence
add a comma after "signature"
old version: "Since the DS can be replayed as long as it has a valid signature a
short signature validity period...."
suggested version: "Since the DS can be replayed as long as it has a valid
signature, a
^^^
short signature validity period...."
Section 6
second para, last sentence
old version: "In
random order: Rip Loomis, Olafur Gudmundsson, Wesley Griffin, Michael
Richardson, Scott Rose, Rick van Rein, Tim McGinnis, Gilles Guette
and Olivier Courtay, Sam Weiler, Jelte Jansen."
^^^^^^
suggested version: "In
random order: Rip Loomis, Olafur Gudmundsson, Wesley Griffin, Michael
Richardson, Scott Rose, Rick van Rein, Tim McGinnis, Gilles Guette,
Olivier Courtay, Sam Weiler, and Jelte Jansen."
^^^^^
[EMAIL PROTECTED]
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
