<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">I also feel uncomfortable trying to address “corruption by attack or malware” here and I agree that the question does not really match the answer. Can we change the question?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I think of the answer in 4.2 as an extension of the previous question (4.1 How do operators ensure that the root zone is properly replicated?). The ZONEMD answer applies to the root zone _<i>file</i>_, which
can be used outside of RZM-to-RSO distribution, such as fetching root zone files for RFC 8806 operations.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Proposed for discussion and word-smithing (new question and added last sentence to existing text):<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt">4.2 Are there [other] ways to verify the integrity of the root zone data?<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt"><a href="https://datatracker.ietf.org/doc/html/rfc8976">RFC 8976</a> defines a mechanism for ensuring the integrity of a DNS zone file using a ZONEMD record that “provides a cryptographic
message digest over DNS zone data at rest”. As noted in a statement published by the root-server operators, RSOs will not enable ZONEMD verification for the first year after the initial publication of ZONEMD records. This is not deployed yet, but there are
plans to do so in the future. ZONEMD verification can also be used by other consumers of the root zone file (for example, recursive operators deploying RFC 8806) to verify the authenticity and integrity of the root zone data.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">-Ken<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in">
<b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">rssac-caucus <rssac-caucus-bounces@icann.org> on behalf of Andrew McConachie <andrew.mcconachie@icann.org><br>
<b>Date: </b>Wednesday, January 4, 2023 at 6:13 AM<br>
<b>To: </b>RSSAC Caucus <rssac-caucus@icann.org><br>
<b>Subject: </b>[URL Verdict: Neutral][Non-DoD Source] Re: [RSSAC Caucus] Annual RSSAC FAQ Review<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt">All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying
and pasting the address to a Web browser.<br>
<br>
----<br>
<br>
<br>
<br>
> On 20 Dec 2022, at 16:26, Paul Hoffman <paul.hoffman@icann.org> wrote:<br>
> <br>
> <br>
> On Dec 20, 2022, at 4:21 AM, Andrew McConachie <andrew.mcconachie@icann.org> wrote:<br>
>> <br>
>> Thanks for everyone who joined the productive to review the RSSAC FAQ comments on December 15th.<br>
>> <br>
>> I had an action item to clean up the document and merge the decisions that were made on the call.<br>
>> <Caution-https://docs.google.com/document/d/1_OOt0EBmEqkH5fCXWK4ts8946C7qeI6okDXtK0qoLCs/><br>
>> <br>
>> I’ve done that and there are no outstanding suggestions in the Google doc. If you have any final comments please get them in the Google doc before January 3rd, 2023.
<br>
> <br>
> I have made a few small editorial changes. However, I still have a deep concern about question 4.2. If we answer it honestly, it's only going to confuse readers. I propose that we remove it.<br>
> <br>
<br>
Dear All,<br>
<br>
This is the one outstanding issue remaining with the FAQ. Paul is suggesting deleting question 4.2, but I would like to hear some other opinions from the Caucus before doing so.<br>
<br>
Below is the 4.2 question and answer for your review.<br>
<br>
> 4.2 Is there any chance of the root zone files getting corrupted by any attack or malware?<br>
> <br>
> RFC 8976 defines a mechanism for ensuring the integrity of a DNS zone file using a ZONEMD record that "provides a cryptographic message digest over DNS zone data at rest”. As noted in a statement published by the root-server operators, RSOs will not enable
ZONEMD verification for the first year after the initial publication of ZONEMD records. This is not deployed yet, but there are plans to do so in the future.<br>
> <br>
<br>
<br>
Thanks,<br>
Andrew<o:p></o:p></span></p>
</div>
</div>
</body>
</html>