To:
Randy Bush <randy@psg.com>
Cc:
Lars-Johan Liman <liman@sunet.se>, dnsop@cafax.se
From:
Harald Tveit Alvestrand <Harald@Alvestrand.no>
Date:
Thu, 02 Dec 1999 23:40:58 +0100
In-Reply-To:
<E11tU1E-000Hxd-00@rip.psg.com>
Sender:
owner-dnsop@cafax.se
Subject:
Re: Last WG call for draft-ietf-dnsop-root-opreq-02.txt.
At 03:03 02.12.99 -0800, Randy Bush wrote:
> >> 3.3.3 Transfer of the root zone between root servers MUST be
> >>! authenticated and be as secure as reasonably possible. Out
> >>! of band security validation of updates MUST be supported.
> >>
> > I don't understand what the second sentence means
>
>that an operator should be able to verify that the updated data they have
>received is authentic data by means of an information channel separate from
>the one by which they received it.
>
>an example might be to be able to request a fax of an md5 checksum of the
>root zone.
oh - I see.
Suggested replacement language:
"An operator of a root zone server MUST be able to get proof of the
correctness of a zone file from the authority responsible for updating it
by means not involving DNS operations, for example by telephone, fax,
signed email with a trusted signature or other means".
Never hurts to be explicit....except that the document gets long.....
Harald A
--
Harald Tveit Alvestrand, EDB Maxware, Norway
Harald.Alvestrand@edb.maxware.no