Adding ZONEMD protections to the root zone

July 19, 2023

In this episode of PING, Verisign fellow Duane Wessels presents the ZONEMD resource record, defined in RFC8976.

The “MD” in ZONEMD stands for “message digest” and this resource record (RR) is a checksum over the state of a zone, including all its records and the zone serial record (“start of authority” or SOA) which includes a serial number.

This means that by fetching an entire zone, either in the DNS or “out of band” from an FTP or Web server or however you receive it, if it has the ZONEMD record you have a way to check that the entire zone, as it should be for that serial, is exactly what you have in-hand.

ZONEMD is going to permit people who copy zones to serve them (locally, or more widely) now have a basis to trust the state of the zone before publishing it.

Duane talks about the long lifetime of this idea with roots back into the 1990s, and the road to RFC8976 taken by the co-authors. A ZONEMD record with an un-testable signature will be placed in the root zone of the DNS in September of this year, and will become testable in December to allow time for the community to understand it’s behaviour.

This podcast is accompanied by a repost of a Verisign blog Duane wrote recently which has just been republished here on the APNIC Blog: Adding ZONEMD protections to the root zone

Read more about DNS, ZONEMD, and other blogs and podcasts by Duane on the APNIC Blog and elsewhere online: