On Mon, Feb 26, 2018 at 7:12 PM, Wessels, Duane <dwessels@verisign.com> wrote:
Ah, thanks for clarifying that. I should've read the TSIG RFC more carefully. I withdraw my objection to "protected"!
another attempt:
The transfer of the root zone file from the Root Zone Maintainer (RZM) to the individual RSOs occurs via the DNS zone transfer protocols (AXFR in RFC 5936 and IXFR in RFC 1995). These zone transfer messages are protected by the use of TSIG resource records as described in RFC 2845. This is a reliable protocol and we are not aware of any incidents of data corruption. Furthermore, since the root zone is signed, incorrect or falsified answers can be detected by DNSSEC validators. RSSAC encourages all recursive name server operators to enable DNSSEC validation when possible.
Looks good to me! Shumon.