Comments on dnssec-trans-01

[Samuel Weiler <weiler@tislabs.com>]

I apologize for not thoroughly reviewing this doc -- I've only looked
at small sections of it.

First, as might be guessed from my comments on the dnsop list this
morning, I suggest adding a section (2.2.4?) about using a different
hash (digest) in the parent DS record.

Second, I find the algorithm roll section (2.2.3) unsatisfying.  I
imagined that algorithm signaling would necessarily happen in a zone's
DS record (in its parent), since algorithms can't be removed after
that point.  The section title and the below line, since they focus on
RRSIG, seem misleading:
   The different interpretation
   would be signaled by use of different signature algorithms in the
   RRSIG records covering the NSEC RRs.

Section 2.2.3.2 is very confusing, also.  The first line talks about
treating NSEC RRs as unsigned, when it's the zone that it treated as
unsigned (unsecure, in the language of bis), not individual RRsets.
This line:
   Also, all positive signatures (RRSIGs on RRSets other than DS,
   NSEC) appear insecure/bogus to an old validator.
is very confusing for two reasons: first, the RRSIGs should appear as
irrelevent, which is closer to unsecure than bogus (insecure and
bogus are not the same thing in this context).  Second, the
parenthetical definition of "positive signatures" doesn't make sense
to me: presumably the zone's own DS (in the parent) is signed with a
known algorithm (so appears as secure) -- I don't know why DS's in the
zone (for children) aren't "positive signatures".

-- Sam

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>