Hi Duane! > -----Original Message----- > From: iesg <[email protected]> On Behalf Of Wessels, Duane > Sent: Wednesday, October 14, 2020 8:28 AM > To: Roman Danyliw <[email protected]> > Cc: [email protected]; Tim Wicinski > <[email protected]>; [email protected]; [email protected]; Wessels, Duane > <[email protected]>; The IESG <[email protected]> > Subject: Re: Roman Danyliw's Discuss on draft-ietf-dnsop-dns-zone-digest-12: > (with DISCUSS and COMMENT) > > > > > On Oct 12, 2020, at 9:24 AM, Roman Danyliw <[email protected]> wrote: > > > > Hi Duane! > > > > Thanks for the extensive changes in -13. They address my concerns. I have > left one remaining comment about clarifying "provably secure" with a > reference. Otherwise, I've cleared my ballot. > > Thanks Roman, > > Instead of "provably secure," how does this look to you: > > 1. The verifier MUST first determine whether or not to expect DNSSEC > records in the zone. By examining locally configured trust > anchors, and, if necessary, querying for and validating DS RRs in > the parent zone, the verifier knows whether or not the zone to be > verified should include DNSSEC keys and signatures. For zones > where signatures are not expected, or if DNSSEC validation is not > performed, digest verification continues at step 4 below. > > 2. For zones where signatures are expected, the existence of the > apex ZONEMD record MUST be validated. If the DNSSEC data proves > the ZONEMD RRSet does not exist, digest verification cannot > occur. If the DNSSEC data proves the ZONEMD does exist, but is > not found in the zone, digest verification MUST NOT be considered > successful. > > 3. For zones where signatures are expected, the SOA and ZONEMD > RRSets MUST have valid signatures, chaining up to a trust anchor. > If DNSSEC validation of the SOA or ZONEMD RRSets fails, digest > verification MUST NOT be considered successful.
This language looks good to me and is even better than a reference. Thanks for clarifying the text further. Roman _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
