Adding ZONEMD protections to the root zone
The “MD” in ZONEMD stands for “message digest” and this resource record (RR) is a checksum over the state of a zone, including all its records and the zone serial record (“start of authority” or SOA) which includes a serial number.
This means that by fetching an entire zone, either in the DNS or “out of band” from an FTP or Web server or however you receive it, if it has the ZONEMD record you have a way to check that the entire zone, as it should be for that serial, is exactly what you have in-hand.
ZONEMD is going to permit people who copy zones to serve them (locally, or more widely) now have a basis to trust the state of the zone before publishing it.
Duane talks about the long lifetime of this idea with roots back into the 1990s, and the road to RFC8976 taken by the co-authors. A ZONEMD record with an un-testable signature will be placed in the root zone of the DNS in September of this year, and will become testable in December to allow time for the community to understand it’s behaviour.
This podcast is accompanied by a repost of a Verisign blog Duane wrote recently which has just been republished here on the APNIC Blog: Adding ZONEMD protections to the root zone
Read more about DNS, ZONEMD, and other blogs and podcasts by Duane on the APNIC Blog and elsewhere online:
- The Root of the DNS revisited(2023, Geoff Huston)
- Notes from DNS OARC 38 (2022 APNIC Blog post by Geoff Huston)
- Notes from DNS OARC 35 (2021 APNIC Blog post by Geoff Huston)
- RFC8976 (2021 RFC D. Wessels, P. Barber – Verisign; M. Weinberg – Amazon; W. Kumari – Google; & W. Hardaker – USC/ISI)
- [Podcast] A look back at notable root zone changes (Duane Wessels on PING discusses 3 significant root zone changes over the last decade)