[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Evaluation: draft-ietf-dnsext-keyrr-key-signing-flag
DISCUSS:
The document fails to distinguish public keys and private keys. This is
prevalent throughout the document. For example:
One key is used to sign just the zone's KEY
resource record (RR) set and is the key
referenced by a DS RR at the parent or
configured statically in a resolver.
The first half of the sentence is referring to the private key that is used
to sign the RR set, and the second have of the sentence is referring to the
public key that is used to validate the signature on the RR set. People
who are very familiar with public key cryptography may not get confused,
but I believe that many implementors will be mislead.
It is interesting to note that the 'KSK' and 'ZSK' labels are being applied
to the public keys, which are used for signature validation, not the
private keys, which are used for signing.
COMMENT:
In section 2, the document says: "The SEP bit (TBD) ..." The bit position
of the SEP flag bit has been set, so I do not understand the "TBD."