[RSSAC Caucus] Annual RSSAC FAQ Review

Wed Jan 4 11:46:06 UTC 2023

I also feel uncomfortable trying to address “corruption by attack or malware” here and I agree that the question does not really match the answer.  Can we change the question?

I think of the answer in 4.2 as an extension of the previous question (4.1 How do operators ensure that the root zone is properly replicated?).  The ZONEMD answer applies to the root zone _file_, which can be used outside of RZM-to-RSO distribution, such as fetching root zone files for RFC 8806 operations.

Proposed for discussion and word-smithing (new question and added last sentence to existing text):

4.2  Are there [other] ways to verify the integrity of the root zone data?

RFC 8976<https://datatracker.ietf.org/doc/html/rfc8976> defines a mechanism for ensuring the integrity of a DNS zone file using a ZONEMD record that “provides a cryptographic message digest over DNS zone data at rest”. As noted in a statement published by the root-server operators, RSOs will not enable ZONEMD verification for the first year after the initial publication of ZONEMD records. This is not deployed yet, but there are plans to do so in the future.  ZONEMD verification can also be used by other consumers of the root zone file (for example, recursive operators deploying RFC 8806) to verify the authenticity and integrity of the root zone data.

-Ken

From: rssac-caucus <rssac-caucus-bounces at icann.org> on behalf of Andrew McConachie <andrew.mcconachie at icann.org>
Date: Wednesday, January 4, 2023 at 6:13 AM
To: RSSAC Caucus <rssac-caucus at icann.org>
Subject: [URL Verdict: Neutral][Non-DoD Source] Re: [RSSAC Caucus] Annual RSSAC FAQ Review
All active links contained in this email were disabled.  Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.

----

> On 20 Dec 2022, at 16:26, Paul Hoffman <paul.hoffman at icann.org> wrote:
>
>
> On Dec 20, 2022, at 4:21 AM, Andrew McConachie <andrew.mcconachie at icann.org> wrote:
>>
>> Thanks for everyone who joined the productive to review the RSSAC FAQ comments on December 15th.
>>
>> I had an action item to clean up the document and merge the decisions that were made on the call.
>> <Caution-https://docs.google.com/document/d/1_OOt0EBmEqkH5fCXWK4ts8946C7qeI6okDXtK0qoLCs/>
>>
>> I’ve done that and there are no outstanding suggestions in the Google doc. If you have any final comments please get them in the Google doc before January 3rd, 2023.
>
> I have made a few small editorial changes. However, I still have a deep concern about question 4.2. If we answer it honestly, it's only going to confuse readers. I propose that we remove it.
>

Dear All,

This is the one outstanding issue remaining with the FAQ. Paul is suggesting deleting question 4.2, but I would like to hear some other opinions from the Caucus before doing so.

Below is the 4.2 question and answer for your review.

> 4.2 Is there any chance of the root zone files getting corrupted by any attack or malware?
>
> RFC 8976 defines a mechanism for ensuring the integrity of a DNS zone file using a ZONEMD record that "provides a cryptographic message digest over DNS zone data at rest”. As noted in a statement published by the root-server operators, RSOs will not enable ZONEMD verification for the first year after the initial publication of ZONEMD records. This is not deployed yet, but there are plans to do so in the future.
>

Thanks,
Andrew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/rssac-caucus/attachments/20230104/d34ecdbb/attachment.html>