Document: draft-ietf-dnsext-nsec3-10.txt
Reviewer: Pasi Eronen
Review Date: 18 May 2007
IETF LC End Date: 23 May 2007
IESG Telechat date: 24 May 2007

Summary: This draft is basically ready for publication, but has 
nits that should be fixed before publication.

Comments:

This is a very complex document, and quite difficult to understand for someone who's not intimately familiar with the existing DNSSEC specs (like myself). Thus, my review is quite superficial...

Some minor suggestions for improvement:

1) This document creates a new registry for NSEC3 RR hash algorithms. Is there a reason why the existing registry for DS RR hash algorithms can't be used?

2) Section 10.1: it would be useful to give a numerical example of what the maximum length is (for say, "foo.example.com" zone and SHA-1), instead of just saying "it depends".

3) Appendix A: it would be useful if the example zone contained a list of hashes-vs-names as comments (they're included later in the example queries/answers, but wouldn't hurt repeating them...).

4) Section C.1 seems to be in wrong place. Given its location, I 
would expect to find only some background information, not sentences containing MUST or SHOULD keywords. Probably this should be somewhere earlier in the document?

5) I found Section C.2.3 very confusing. It's not clear whether this section describes a feature of the protocol, or a feature that was proposed but was not included (and design rationale why not). Either way, this section needs clarification.