--- 1/draft-ietf-dnsop-dns-zone-digest-06.txt	2020-04-28 12:13:04.948085574 -0700
+++ 2/draft-ietf-dnsop-dns-zone-digest-07.txt	2020-04-28 12:13:05.020087425 -0700
@@ -1,23 +1,23 @@
 
 Internet Engineering Task Force                               D. Wessels
 Internet-Draft                                                 P. Barber
 Intended status: Standards Track                             M. Weinberg
-Expires: October 10, 2020                                       Verisign
+Expires: October 30, 2020                                       Verisign
                                                                W. Kumari
                                                                   Google
                                                              W. Hardaker
                                                                  USC/ISI
-                                                           April 8, 2020
+                                                          April 28, 2020
 
                       Message Digest for DNS Zones
-                  draft-ietf-dnsop-dns-zone-digest-06
+                  draft-ietf-dnsop-dns-zone-digest-07
 
 Abstract
 
    This document describes a protocol and new DNS Resource Record that
    can be used to provide a cryptographic message digest over DNS zone
    data.  The ZONEMD Resource Record conveys the digest data in the zone
    itself.  When a zone publisher includes an ZONEMD record, recipients
    can verify the zone contents for accuracy and completeness.  This
    provides assurance that received zone data matches published data,
    regardless of how the zone data has been transmitted and received.
@@ -41,21 +41,21 @@
    Internet-Drafts are working documents of the Internet Engineering
    Task Force (IETF).  Note that other groups may also distribute
    working documents as Internet-Drafts.  The list of current Internet-
    Drafts is at https://datatracker.ietf.org/drafts/current/.
 
    Internet-Drafts are draft documents valid for a maximum of six months
    and may be updated, replaced, or obsoleted by other documents at any
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on October 10, 2020.
+   This Internet-Draft will expire on October 30, 2020.
 
 Copyright Notice
 
    Copyright (c) 2020 IETF Trust and the persons identified as the
    document authors.  All rights reserved.
 
    This document is subject to BCP 78 and the IETF Trust's Legal
    Provisions Relating to IETF Documents
    (https://trustee.ietf.org/license-info) in effect on the date of
    publication of this document.  Please review these documents
@@ -104,31 +104,32 @@
      6.1.  Attacks Against the Zone Digest . . . . . . . . . . . . .  15
      6.2.  Attacks Utilizing ZONEMD Queries  . . . . . . . . . . . .  15
      6.3.  Resilience and Fragility  . . . . . . . . . . . . . . . .  15
    7.  Performance Considerations  . . . . . . . . . . . . . . . . .  16
      7.1.  SIMPLE SHA384 . . . . . . . . . . . . . . . . . . . . . .  16
    8.  Privacy Considerations  . . . . . . . . . . . . . . . . . . .  17
    9.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .  17
    10. Implementation Status . . . . . . . . . . . . . . . . . . . .  17
      10.1.  Authors' Implementation  . . . . . . . . . . . . . . . .  17
      10.2.  Shane Kerr's Implementation  . . . . . . . . . . . . . .  18
+     10.3.  NIC Chile Labs Implementation  . . . . . . . . . . . . .  18
    11. Change Log  . . . . . . . . . . . . . . . . . . . . . . . . .  18
    12. References  . . . . . . . . . . . . . . . . . . . . . . . . .  23
      12.1.  Normative References . . . . . . . . . . . . . . . . . .  23
-     12.2.  Informative References . . . . . . . . . . . . . . . . .  23
-   Appendix A.  Example Zones With Digests . . . . . . . . . . . . .  25
-     A.1.  Simple EXAMPLE Zone . . . . . . . . . . . . . . . . . . .  25
+     12.2.  Informative References . . . . . . . . . . . . . . . . .  24
+   Appendix A.  Example Zones With Digests . . . . . . . . . . . . .  26
+     A.1.  Simple EXAMPLE Zone . . . . . . . . . . . . . . . . . . .  26
      A.2.  Complex EXAMPLE Zone  . . . . . . . . . . . . . . . . . .  26
      A.3.  EXAMPLE Zone with multiple digests  . . . . . . . . . . .  27
-     A.4.  The URI.ARPA Zone . . . . . . . . . . . . . . . . . . . .  27
-     A.5.  The ROOT-SERVERS.NET Zone . . . . . . . . . . . . . . . .  30
-   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  32
+     A.4.  The URI.ARPA Zone . . . . . . . . . . . . . . . . . . . .  28
+     A.5.  The ROOT-SERVERS.NET Zone . . . . . . . . . . . . . . . .  31
+   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  33
 
 1.  Introduction
 
    In the DNS, a zone is the collection of authoritative resource
    records (RRs) sharing a common origin ([RFC8499]).  Zones are often
    stored as files on disk in the so-called master file format
    [RFC1034].  Zones are generally distributed among name servers using
    the AXFR [RFC5936], and IXFR [RFC1995] protocols.  Zone files can
    also be distributed outside of the DNS, with such protocols as FTP,
    HTTP, rsync, and even via email.  Currently there is no standard way
@@ -810,20 +811,36 @@
    o  Verify the zone digest from an input zone.
 
    o  Output the ZONEMD record in its defined presentation format.
 
    This implementation does not:
 
    o  Re-compute DNSSEC signature over the ZONEMD record.
 
    o  Perform DNSSEC validation of the ZONEMD record.
 
+10.3.  NIC Chile Labs Implementation
+
+   NIC Chile Labs wrote an implementation of this specification as part
+   of "dns-tools" suite [DnsTools], which besides digesting, can also
+   sign and verify zones.  This implementation is in Go and is able to
+   perform the following functions:
+
+   o  Compute zone digest over signed zone and update the ZONEMD record.
+
+   o  Verify the zone digest from an input zone.
+
+   o  Perform DNSSEC validation of the ZONEMD record during
+      verification.
+
+   o  Re-compute DNSSEC signature over the ZONEMD record.
+
 11.  Change Log
 
    RFC Editor: Please remove this section.
 
    This section lists substantial changes to the document as it is being
    worked on.
 
    From -00 to -01:
 
    o  Removed requirement to sort by RR CLASS.
@@ -1035,20 +1052,24 @@
    From -05 to -06:
 
    o  Per WG suggestion, no longer include any apex ZONEMD record in
       digest calculation.
 
    o  Updated examples in the appendix.
 
    o  Clarified verification procedure by describing a loop over all
       ZONEMD RRs.
 
+   From -06 to -07:
+
+   o  Added NIC Chile Labs implementation.
+
 12.  References
 
 12.1.  Normative References
 
    [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
               STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
               <https://www.rfc-editor.org/info/rfc1034>.
 
    [RFC1035]  Mockapetris, P., "Domain names - implementation and
               specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
@@ -1072,20 +1093,25 @@
    [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
               2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
               May 2017, <https://www.rfc-editor.org/info/rfc8174>.
 
 12.2.  Informative References
 
    [CZDS]     Internet Corporation for Assigned Names and Numbers,
               "Centralized Zone Data Service", October 2018,
               <https://czds.icann.org/>.
 
+   [DnsTools]
+              NIC Chile Labs, "DNS tools for zone signature (file,
+              pkcs11-hsm) and validation, and zone digest (ZONEMD)",
+              April 2020, <https://github.com/niclabs/dns-tools>.
+
    [InterNIC]
               ICANN, "InterNIC FTP site", May 2018,
               <ftp://ftp.internic.net/domain/>.
 
    [ldns-zone-digest]
               Verisign, "Implementation of Message Digests for DNS Zones
               using the ldns library", July 2018,
               <https://github.com/verisign/ldns-zone-digest>.
 
    [RFC1995]  Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,