On Fri, Feb 9, 2018 at 8:28 AM, Warren Kumari <warren@kumari.net> wrote:
On Fri, Feb 9, 2018 at 5:51 AM, Andrew Mcconachie <andrew.mcconachie@icann.org> wrote:
Dear RSSAC Caucus Members,
On behalf of the RSSAC please find the RSSAC FAQ attached for your review. Please provide comments/edits to the list or in the document by February 23rd, 2018.
3: I find the answer to 3 to be unsatisfactory -- the answer doesn't really answer the question asked. DNSSEC protects individual data, but if an RSO downloads a zonefile which is truncated, or signatures don't validate, DNSSEC is very unlikely to solve this. Pointing out that DNSSEC saves resolvers from **believing** corrupt data would be good, but I think pointing at TSIG here would be a really good addition. "The transfer of the zonefile is protected with TSIG, but even in the unlikely event the file were to become corrupted after transfer, <dnssec, dnssec>."
Yes, I agree - DNSSEC is not the answer to "How do you ensure that the root zone is properly replicated?" (I assume from the root zone maintainer to the root server operators. In fact, DNSSEC cannot be the answer to this because significant portions of the root zone data are not signed (e.g. non-authoritative data like delegation NS record sets and associated glue records). TSIG or some alternative form of cryptographically integrity protected transport mechanism is needed. Maybe the RSSAC FAQ can elaborate on what mechanisms are actually in place to ensure correct transfer of the root zone to to the RSOs. Shumon Huque.