On Fri, Feb 9, 2018 at 8:28 AM, Warren Kumari <warren@kumari.net> wrote:

On Fri, Feb 9, 2018 at 5:51 AM, Andrew Mcconachie
<andrew.mcconachie@icann.org> wrote:
> Dear RSSAC Caucus Members,
>
> On behalf of the RSSAC please find the RSSAC FAQ attached for your review.
> Please provide comments/edits to the list or in the document by February
> 23rd, 2018.
>

3: I find the answer to 3 to be unsatisfactory -- the answer doesn't
really answer the question asked.
DNSSEC protects individual data, but if an RSO downloads a zonefile
which is truncated, or signatures don't validate, DNSSEC is very
unlikely to solve this. Pointing out that DNSSEC saves resolvers from
**believing** corrupt data would be good, but I think pointing at
TSIG here would be a really good addition. "The transfer of the
zonefile is protected with TSIG, but even in the unlikely event the
file were to become corrupted after transfer, <dnssec, dnssec>."

Yes, I agree - DNSSEC is not the answer to "How do you ensure

that the root zone is properly replicated?" (I assume from the root

zone maintainer to the root server operators.

In fact, DNSSEC cannot be the answer to this because significant portions

of the root zone data are not signed (e.g. non-authoritative data like delegation

NS record sets and associated glue records). TSIG or some alternative form

of cryptographically integrity protected transport mechanism is needed.

Maybe the RSSAC FAQ can elaborate on what mechanisms are actually

in place to ensure correct transfer of the root zone to to the RSOs.

Shumon Huque.