Hi Sebastian, This looks like a great improvement over the first document. I haven't had time to go over it in detail, but I didn't want to wait before giving you guys some worthy praise. I'll get some time over the next few days to comment in more details. Regards, Dean On 1/07/11 4:40 PM, Sebastian Castro wrote:
To the NZNOG community:
After weeks of work discussing and addressing the concerns the NZNOG members have raised about the DNSSEC Practice Statement for .nz, we'd like to present a new version of the document.
Version 1.1 is available at http://www.nzrs.net.nz/dns/dnssec/dps The changes between Version 1.0 and Version 1.1 are posted at http://www.nzrs.net.nz/dns/dnssec/dps/history and also includes the previous version in PDF format.
Minor changes have been made throughout the document.
The following sections have been updated with more information as requested by the community 1.4. Document Management 4.1. Site Controls 4.3.3. Trusted individuals 4.4.5. Vulnerability assessments 4.6.1. Incident Detection and compromise handling procedures 7.1. Frequency of entity compliance audit
For the following sections we have made changes to our design to address the concerns raised by the community 6.1. Key lengths and algorithms 4.3.1. Trusted roles 4.3.2. Number of persons required per task
We are still working on the Key Pair Generation procedures and it is our intention to update that part of the DPS in the coming weeks and to also publish more technical details on the Key Pair Generation Procedure. The technical details will be released as a separate document that will also include details of the scripts used.
The intention of the DPS document is to assist you in determining the level of trust that you may assign to DNSSEC in the .nz domain and for you to assess your own risk.
We'd like to encourage discussion around this new version of the document. Please feel free to ask any questions about the DPS or provide any suggestions for improvements to the document.
If you need to make a non-public comment, feel free to contact me or Dave Baker (dave(a)nzrs.net.nz)
Regards,