To:
<dnsop@cafax.se>
From:
"Scott Rose" <scottr@nist.gov>
Date:
Mon, 25 Aug 2003 13:31:48 -0400
Sender:
owner-dnsop@cafax.se
Subject:
Re: draft-kolkman-dnssec-operational-practices-00.txt
An opinion on section 3.2 (Security Key Considerations): It is the wrong place for a discourse on key strengh, but a reference would be good for further info for someone interested. Otherwise, it might be good to give some rough rules to follow such as "the larger the zone, the larger the key" and "larger the zone, zone key rollovers should be more frequent". I think this may help neophyte admins get a basic understanding. Scott ----- Original Message ----- From: "Olaf M. Kolkman" <olaf@ripe.net> To: <dnsop@cafax.se> Sent: Monday, August 25, 2003 3:26 AM Subject: draft-kolkman-dnssec-operational-practices-00.txt > > > Colleagues, > > draft-kolkman-dnssec-operational-practices-00.txt is now in the I-D > repository. > > > To give you an idea about content the abstract and index are copied > below. > > > Does the working group want to accept this document as a working group > item? > > > -- Olaf > > > > ---------------------------------| Olaf M. Kolkman > ---------------------------------| RIPE NCC > > > > > Abstract > > This Internet-Draft is intended as a place holder for considerations > and operational practices for DNSSEC key-management. It is intended > to be 'long-lived' and result in documentation of best(?) current > practices. > > > Table of Contents > > 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 > 2. Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . . 3 > 2.1 Time definitions . . . . . . . . . . . . . . . . . . . . . . 3 > 2.2 Time considerations . . . . . . . . . . . . . . . . . . . . 4 > 3. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 > 3.1 Using Key-Signing and Zone-Signing Keys. . . . . . . . . . . 6 > 3.1.1 Motivations for the KSK and ZSK functions . . . . . . . . . 6 > 3.2 Key security considerations . . . . . . . . . . . . . . . . 6 > 3.3 Key rollovers . . . . . . . . . . . . . . . . . . . . . . . 7 > 3.3.1 Zone-signing key rollovers . . . . . . . . . . . . . . . . . 7 > 3.3.2 Key-signing key rollovers . . . . . . . . . . . . . . . . . 10 > 4. Planning for emergency key rollover. . . . . . . . . . . . . 11 > 4.1 KSK compromise . . . . . . . . . . . . . . . . . . . . . . . 12 > 4.2 ZSK compromise . . . . . . . . . . . . . . . . . . . . . . . 12 > 4.3 Compromises of keys configured at the resolver level . . . . 12 > 5. Parental policies. . . . . . . . . . . . . . . . . . . . . . 13 > 6. Initial key exchanges and parental policies > considerations. . . . . . . . . . . . . . . . . . . . . . . 13 > 6.1 Storing keys so hashes can be regenerated . . . . . . . . . 13 > 6.2 Self signed keys during upload or not? . . . . . . . . . . . 13 > 6.3 Security lameness checks. . . . . . . . . . . . . . . . . . 13 > 6.4 SIG DS validity period. . . . . . . . . . . . . . . . . . . 13 > 7. Resolver key configuration. . . . . . . . . . . . . . . . . 13 > 8. Security considerations . . . . . . . . . . . . . . . . . . 13 > 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 13 > Normative References . . . . . . . . . . . . . . . . . . . . 14 > Informative References . . . . . . . . . . . . . . . . . . . 14 > Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 15 > A. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 15 > #---------------------------------------------------------------------- > # To unsubscribe, send a message to <dnsop-request@cafax.se>. #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.