[rssac-caucus] FOR REVIEW: RSSAC FAQ
Shumon Huque
shuque at gmail.com
Mon Feb 12 01:32:21 UTC 2018
On Fri, Feb 9, 2018 at 8:28 AM, Warren Kumari <warren at kumari.net> wrote:
> On Fri, Feb 9, 2018 at 5:51 AM, Andrew Mcconachie
> <andrew.mcconachie at icann.org> wrote:
> > Dear RSSAC Caucus Members,
> >
> > On behalf of the RSSAC please find the RSSAC FAQ attached for your
> review.
> > Please provide comments/edits to the list or in the document by February
> > 23rd, 2018.
> >
>
>
> 3: I find the answer to 3 to be unsatisfactory -- the answer doesn't
> really answer the question asked.
> DNSSEC protects individual data, but if an RSO downloads a zonefile
> which is truncated, or signatures don't validate, DNSSEC is very
> unlikely to solve this. Pointing out that DNSSEC saves resolvers from
> **believing** corrupt data would be good, but I think pointing at
> TSIG here would be a really good addition. "The transfer of the
> zonefile is protected with TSIG, but even in the unlikely event the
> file were to become corrupted after transfer, <dnssec, dnssec>."
>
Yes, I agree - DNSSEC is not the answer to "How do you ensure
that the root zone is properly replicated?" (I assume from the root
zone maintainer to the root server operators.
In fact, DNSSEC cannot be the answer to this because significant portions
of the root zone data are not signed (e.g. non-authoritative data like
delegation
NS record sets and associated glue records). TSIG or some alternative form
of cryptographically integrity protected transport mechanism is needed.
Maybe the RSSAC FAQ can elaborate on what mechanisms are actually
in place to ensure correct transfer of the root zone to to the RSOs.
Shumon Huque.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/rssac-caucus/attachments/20180211/6493ef8a/attachment.html>
More information about the rssac-caucus
mailing list