DNSSEC Operational Practices
RFC 4641

Note: This ballot was opened for revision 08 and is now closed.

(David Kessens) Yes

(Allison Mankin) Yes

(Brian Carpenter) No Objection

Comment (2006-03-02 for -** No value found for 'p.get_dochistory.rev' **)
No email
send info
A citation such as "Please see [RFC4033] for an introduction to DNSSEC and its
requirements" would be helpful.

The full Gen-ART review by Elwyn Davies with some nits is posted at

(Margaret Cullen) No Objection

(Ted Hardie) No Objection

(Sam Hartman) No Objection

Comment (2006-03-01 for -** No value found for 'p.get_dochistory.rev' **)
No email
send info
I agree that if followed, the advice in this document would produce
secure DNS deployments.  I wonder though whether this isn't one of
those cases where great security is the enemy of any security at all.
I read this advice and can't help but thinking that perhaps secure DNS
just isn't worth the bother of all that work--especially without tools
to do it for me.  And the tools can't really help much if I'm really
going to follow all that advice about air gaps for my keys.  Perhaps
the advice here is appropriate for Google and Microsoft and the root.
I think it's overkill for me and any of the startups I've worked at.
I think that even if I had really long-lived signatures and rarely did
rollover I'd have something significantly better than I do today.  I
wish we did a better job of balancing the security advice we give.

(Russ Housley) (was Discuss) No Objection

(Bert Wijnen) No Record