To:
"D. J. Bernstein" <djb@cr.yp.to>
Cc:
iesg@ietf.org, dnsop@cafax.se
From:
Randy Bush <randy@psg.com>
Date:
Sat, 25 Mar 2000 09:38:13 +0900
Sender:
owner-dnsop@cafax.se
Subject:
Re: Last Call: Root Name Server Operational Requirements to BCP
> opreq section 3.3.3 says ``Servers MUST use DNSSEC to authenticate root
> zones received from other servers.'' That is not current practice.
somehow your ascii text display program seems to have dropped the following
sentence. the entire paragraph reads
3.3.3 Transfer of the root zone between root servers MUST be
authenticated and be as secure as reasonably possible. Out
of band security validation of updates MUST be supported.
Servers MUST use DNSSEC to authenticate root zones received
from other servers. It is understood that DNSSEC is not
yet deployable on some common platforms, but will be
deployed when supported.
> opreq section 3.3.2 says ``Root servers MUST be DNSSEC-capable.'' That
> is not current practice.
somehow your ascii text display program seems to have dropped the following
sentence. the entire paragraph reads
3.3.2 Root servers MUST be DNSSEC-capable so that queries may be
authenticated by clients with security and authentication
concerns. It is understood that DNSSEC is not yet
deployable on some common platforms, but will be deployed
when supported.
> opreq section 3.3.1 says ``The root zone MUST be signed by the IANA.''
> That does not appear to be current practice.
somehow your ascii text display program seems to have dropped the following
sentence. the entire paragraph reads
3.3.1 The root zone MUST be signed by the IANA in accordance with
DNSSEC, see [RFC2535] or its replacements. It is
understood that DNSSEC is not yet deployable on some common
platforms, but will be deployed when supported.
randy