To:
"D. J. Bernstein" <djb@cr.yp.to>
Cc:
iesg@ietf.org, dnsop@cafax.se
From:
Randy Bush <randy@psg.com>
Date:
Sat, 25 Mar 2000 09:38:13 +0900
Sender:
owner-dnsop@cafax.se
Subject:
Re: Last Call: Root Name Server Operational Requirements to BCP
> opreq section 3.3.3 says ``Servers MUST use DNSSEC to authenticate root > zones received from other servers.'' That is not current practice. somehow your ascii text display program seems to have dropped the following sentence. the entire paragraph reads 3.3.3 Transfer of the root zone between root servers MUST be authenticated and be as secure as reasonably possible. Out of band security validation of updates MUST be supported. Servers MUST use DNSSEC to authenticate root zones received from other servers. It is understood that DNSSEC is not yet deployable on some common platforms, but will be deployed when supported. > opreq section 3.3.2 says ``Root servers MUST be DNSSEC-capable.'' That > is not current practice. somehow your ascii text display program seems to have dropped the following sentence. the entire paragraph reads 3.3.2 Root servers MUST be DNSSEC-capable so that queries may be authenticated by clients with security and authentication concerns. It is understood that DNSSEC is not yet deployable on some common platforms, but will be deployed when supported. > opreq section 3.3.1 says ``The root zone MUST be signed by the IANA.'' > That does not appear to be current practice. somehow your ascii text display program seems to have dropped the following sentence. the entire paragraph reads 3.3.1 The root zone MUST be signed by the IANA in accordance with DNSSEC, see [RFC2535] or its replacements. It is understood that DNSSEC is not yet deployable on some common platforms, but will be deployed when supported. randy