DNSSEC Operational Practices
Note: This ballot was opened for revision 08 and is now closed.
(David Kessens) Yes
(Allison Mankin) Yes
(Brian Carpenter) No Objection
Comment (2006-03-02 for -** No value found for 'p.get_dochistory.rev' **)
A citation such as "Please see [RFC4033] for an introduction to DNSSEC and its requirements" would be helpful. The full Gen-ART review by Elwyn Davies with some nits is posted at http://www.alvestrand.no/ietf/gen/reviews/draft-ietf-dnsop-dnssec-operational-practices-07-davies.txt
(Margaret Cullen) No Objection
(Ted Hardie) No Objection
(Sam Hartman) No Objection
Comment (2006-03-01 for -** No value found for 'p.get_dochistory.rev' **)
I agree that if followed, the advice in this document would produce secure DNS deployments. I wonder though whether this isn't one of those cases where great security is the enemy of any security at all. I read this advice and can't help but thinking that perhaps secure DNS just isn't worth the bother of all that work--especially without tools to do it for me. And the tools can't really help much if I'm really going to follow all that advice about air gaps for my keys. Perhaps the advice here is appropriate for Google and Microsoft and the root. I think it's overkill for me and any of the startups I've worked at. I think that even if I had really long-lived signatures and rarely did rollover I'd have something significantly better than I do today. I wish we did a better job of balancing the security advice we give.