[RSSAC Caucus] Annual RSSAC FAQ Review
Robert Story
rstory at isi.edu
Wed Jan 4 15:09:43 UTC 2023
I agree with Ken and like the new text. Talking about what we
do to try and ensure the integrity of the root zone is one thing.
Enumerating the endless ways things can go wrong is another, and IMHO
out of scope.
Regards,
Robert
On Wed 2023-01-04 11:46:06+0000 Kenneth D CTR USARMY DEVCOM ARL \(USA\)
via rssac-caucus wrote:
> I also feel uncomfortable trying to address “corruption by attack or
> malware” here and I agree that the question does not really match the
> answer. Can we change the question?
>
> I think of the answer in 4.2 as an extension of the previous question
> (4.1 How do operators ensure that the root zone is properly
> replicated?). The ZONEMD answer applies to the root zone _file_,
> which can be used outside of RZM-to-RSO distribution, such as
> fetching root zone files for RFC 8806 operations.
>
> Proposed for discussion and word-smithing (new question and added
> last sentence to existing text):
>
> 4.2 Are there [other] ways to verify the integrity of the root zone
> data?
>
> RFC 8976<https://datatracker.ietf.org/doc/html/rfc8976> defines a
> mechanism for ensuring the integrity of a DNS zone file using a
> ZONEMD record that “provides a cryptographic message digest over DNS
> zone data at rest”. As noted in a statement published by the
> root-server operators, RSOs will not enable ZONEMD verification for
> the first year after the initial publication of ZONEMD records. This
> is not deployed yet, but there are plans to do so in the future.
> ZONEMD verification can also be used by other consumers of the root
> zone file (for example, recursive operators deploying RFC 8806) to
> verify the authenticity and integrity of the root zone data.
--
Robert Story
USC Information Sciences Institute <http://www.isi.edu/>
Networking and Cybersecurity Division
More information about the rssac-caucus
mailing list