> On Oct 12, 2020, at 9:24 AM, Roman Danyliw <[email protected]> wrote: > > Hi Duane! > > Thanks for the extensive changes in -13. They address my concerns. I have > left one remaining comment about clarifying "provably secure" with a > reference. Otherwise, I've cleared my ballot.
Thanks Roman,
Instead of "provably secure," how does this look to you:
1. The verifier MUST first determine whether or not to expect DNSSEC
records in the zone. By examining locally configured trust
anchors, and, if necessary, querying for and validating DS RRs in
the parent zone, the verifier knows whether or not the zone to be
verified should include DNSSEC keys and signatures. For zones
where signatures are not expected, or if DNSSEC validation is not
performed, digest verification continues at step 4 below.
2. For zones where signatures are expected, the existence of the
apex ZONEMD record MUST be validated. If the DNSSEC data proves
the ZONEMD RRSet does not exist, digest verification cannot
occur. If the DNSSEC data proves the ZONEMD does exist, but is
not found in the zone, digest verification MUST NOT be considered
successful.
3. For zones where signatures are expected, the SOA and ZONEMD
RRSets MUST have valid signatures, chaining up to a trust anchor.
If DNSSEC validation of the SOA or ZONEMD RRSets fails, digest
verification MUST NOT be considered successful.
DW
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
