I'm delighted to see that the NCC has set an aggressive schedule for DNSSEC deployment. Here are some comments on the draft procedures, as requested:
"DNSSEC Key Maintenance Procedure" http://www.ripe.net/rs/reverse/dnssec/key-maintenance-procedure.html
At a first pass, this document looks very good.
"Procedure for Requesting DNSSEC Delegations" http://www.ripe.net/rs/reverse/dnssec/registry-procedure.html
Many things in this look good (not rejecting keys without the SEP bit set, dealing with unsupported message digests, allowing multiple DS records), but I have a few concerns. First, do you need to specify the encoding of the ds-rdata attribute in more detail? I'm worried about the first two rules in the "Delegation Checks" portion of this procedure. Assuming a working delegation chain is in place for each algorithm present in the DS set, it is really necessary to have each of the DNSKEYs present in the zone (the first rule)? I suggest instead: -- For each algorithm present in the set of ds-rdata attributes, is there a matching DNSKEY available in the DNS for at least one of the ds-rdata attributes with that algorithm? (Apologies for the poor word-smithing.) Also, the second test (valid RRSIG, presumably on the DNSKEY RRset) is only possible for supported crypto algorithms. Private algorithms may confound this rule. I suggest: -- "For each of the supported algorithms (3 and 5) present in the set of ds-rdata attributes, is there a valid RRSIG on the DNSKEY RRset made with a DNSKEY that both matches the ds-rdata attribute and is published in the DNS?" or -- "For each of the DNSKEYs identified by rule #1, is there at least one valid RRSIG on the DNSKEY RRset made with a DNSKEY of each algorithm?" And in the text below, say "Tests #2 and #4 will only be performed for supported algorithms". (Again, I suggest 3 and 5). Lastly, I don't understand this description of the web interface: "It will use the "ds-rdata:" attribute of the domain object currently available in the RIPE Whois Database to select the appropriate default DNSKEY RR. It will then select a new "ds-rdata:" attribute." Does this mean that the current ds-rdata will always be replaced? -- Sam