Re: [DNSOP] Working Group Last Call for aft-ietf-dnsop-dnssec-bcp
> Nonetheless, the significant deployment of > DNSSEC within some top-level domains (TLDs), and the near-universal > deployment of DNSSEC in the TLDs, demonstrate that DNSSEC is suitable > for implementation by both ordinary and highly sophisticated domain > owners. Maybe it's my lack of dns inside baseball terminology but I found the hard distinction between "within" and "in" a bit confusing here and had to re-read to grok what was meant. It might be clearer to contrast e.g. "at the TLDs" with "below/within some TLDs" to bring out the distinction. >* [RFC7344] describes using the CDS and CDNSKEY resource records to > help automate the creation of DS records in the parents of signed > zones. The term used in the RFC is "maintenance" as opposed to "creation" which seems more precise, given that CDS does not directly address initial creation of a DS. Gavin ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Working Group Last Call for aft-ietf-dnsop-dnssec-bcp
Hello. This line is misleading, I believe: - RFC8198 describes how a validating resolver can emit fewer queries in signed zones that use NSEC for negative caching. That RFC describes aggressive caching also for NSEC3 and (positive) wildcards. (Of course, opt-out NSEC3 records are basically useless, but many zones are without opt-out.) For example, the formulation could be simply truncated as: > RFC8198 describes how a validating resolver can emit fewer queries in signed zones. --Vladimir | knot-resolver.cz ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Working Group Last Call for aft-ietf-dnsop-dnssec-bcp
Hello, On Thu, 2022-07-28 at 15:06 -0400, Tim Wicinski wrote: > All > > > This starts a Working Group Last Call for aft-ietf-dnsop-dnssec-bcp, > "DNS Security Extensions (DNSSEC)" > > Current versions of the draft is available here: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-bcp/ > > > The Current Intended Status of this document is: Best Current Practice > > Please review the draft and offer relevant comments. This is a good document and we should publish it, perhaps with a few more edits. Some nits: I agree with Chris Box' suggestion, that language also seemed unclear to me. The mention of 5011 talks about the root, but 5011 does not mention the root at all. 5011 is not limited to the root. In the list of "Additional Documents of Interest", I think 7129 deserves to be pointed out as an especially important document, as NSEC/NSEC3 are almost impossible to understand without it. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop