On Jan 4, 2023, at 3:46 AM, Renard, Kenneth D CTR USARMY DEVCOM ARL (USA) via rssac-caucus <rssac-caucus@icann.org> wrote:
Proposed for discussion and word-smithing (new question and added last sentence to existing text): 4.2 Are there [other] ways to verify the integrity of the root zone data? RFC 8976 [datatracker.ietf.org] defines a mechanism for ensuring the integrity of a DNS zone file using a ZONEMD record that “provides a cryptographic message digest over DNS zone data at rest”. As noted in a statement published by the root-server operators, RSOs will not enable ZONEMD verification for the first year after the initial publication of ZONEMD records. This is not deployed yet, but there are plans to do so in the future. ZONEMD verification can also be used by other consumers of the root zone file (for example, recursive operators deploying RFC 8806) to verify the authenticity and integrity of the root zone data.
This still doesn't seem like a frequently-asked question. Even if it is, an answer that will only be true in the future doesn't seem useful in this version of the FAQ. After ZONEMD is deployed in the foot zone, this might be a more frequently-asked question, and this would be a reasonable answer except for the last sentence. RFC 8806 requires the resolver to use DNSSEC for validating the contents, and does not predict the future where there would be ZONEMD. Without the words in the parentheses, the last sentence is fine (well, will be fine in the future). --Paul Hoffman