[Podcast] Adding ZONEMD protections to the root zone

By on 20 Jul 2023

Category: Tech matters

Tags: , , ,

Blog home

In this episode of PING, Verisign fellow Duane Wessels presents the ZONEMD resource record (RR), defined in RFC 8976.

The ‘MD’ in ZONEMD stands for ‘message digest’ and this RR type is a checksum over the state of a zone, including all its records and the zone serial record start of authority (SOA), which includes a serial number.

When fetching an entire zone, from either the DNS or ‘out of band’ (from an FTP, web server, and so on), if there’s a ZONEMD record present, the entire zone can be verified. ZONEMD is going to provide a source of truth for those who copy zones to serve them (locally, or more widely) before publishing it.

In the podcast, Duane talks about the long lifetime of this idea with roots back into the 1990s, and the road to RFC 8976 taken by the co-authors. A ZONEMD record with an untestable signature will be placed in the root zone of the DNS in September 2023 and will become testable in December to allow time for the community to understand its behaviour.

This podcast is accompanied by a blog post Duane wrote recently: Adding ZONEMD protections to the root zone

Read more about the DNS, and ZONEMD on the APNIC Blog:

Subscribe and share your story

You can stream and subscribe to PING via the following channels:

If you’re interested in sharing your insights or research, please get in touch — we’re always looking for great stories from the community. And please do let us know what you think of the podcast as well as the APNIC Blog so we can keep improving.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *