To:
Randy Bush <randy@psg.com>
Cc:
Lars-Johan Liman <liman@sunet.se>, dnsop@cafax.se
From:
Harald Tveit Alvestrand <Harald@Alvestrand.no>
Date:
Thu, 02 Dec 1999 23:40:58 +0100
In-Reply-To:
<E11tU1E-000Hxd-00@rip.psg.com>
Sender:
owner-dnsop@cafax.se
Subject:
Re: Last WG call for draft-ietf-dnsop-root-opreq-02.txt.
At 03:03 02.12.99 -0800, Randy Bush wrote: > >> 3.3.3 Transfer of the root zone between root servers MUST be > >>! authenticated and be as secure as reasonably possible. Out > >>! of band security validation of updates MUST be supported. > >> > > I don't understand what the second sentence means > >that an operator should be able to verify that the updated data they have >received is authentic data by means of an information channel separate from >the one by which they received it. > >an example might be to be able to request a fax of an md5 checksum of the >root zone. oh - I see. Suggested replacement language: "An operator of a root zone server MUST be able to get proof of the correctness of a zone file from the authority responsible for updating it by means not involving DNS operations, for example by telephone, fax, signed email with a trusted signature or other means". Never hurts to be explicit....except that the document gets long..... Harald A -- Harald Tveit Alvestrand, EDB Maxware, Norway Harald.Alvestrand@edb.maxware.no