On Mon, Aug 31, 2020 at 09:05:41AM -0700, The IESG <iesg-secretary@xxxxxxxx> wrote a message of 51 lines which said: > The IESG has received a request from the Domain Name System Operations WG > (dnsop) to consider the following document: - 'Message Digest for DNS Zones' > <draft-ietf-dnsop-dns-zone-digest-09.txt> as Proposed Standard No objection to the draft but I suggest two add two things, to precise the applicability of this technique. 1) In 1.1, after "For example, a name server loading saved zone data upon restart cannot guarantee that the on-disk data has not been modified.", add "Such modification could be for instance the result of an accidental corruption of the file, may be because a disk was full [and add the reference to <http://web.archive.org/web/20100618032705/https://www.denic.de/en/denic-in-dialogue/news/2733.html>] 2) In 1.1 (or may be in the Security Considerations), after "not provide any methods to verify data that is read after transmission is complete.", add "The ability to verify a signed zone after its transfer is limited in time. If the keys or DS records are no longer in the public DNS, the verifier cannot check the authenticity of the ZONEMD record. This can happen even if signatures in the zone are still current (not expired), keys and DS records may have been withdrawn following a key rollover. Therefore, verification must be timely." -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
