In this episode of PING, Verisign fellow Duane Wessels presents the ZONEMD resource record (RR), defined in RFC 8976.
The ‘MD’ in ZONEMD stands for ‘message digest’ and this RR type is a checksum over the state of a zone, including all its records and the zone serial record start of authority (SOA), which includes a serial number.
When fetching an entire zone, from either the DNS or ‘out of band’ (from an FTP, web server, and so on), if there’s a ZONEMD record present, the entire zone can be verified. ZONEMD is going to provide a source of truth for those who copy zones to serve them (locally, or more widely) before publishing it.
In the podcast, Duane talks about the long lifetime of this idea with roots back into the 1990s, and the road to RFC 8976 taken by the co-authors. A ZONEMD record with an untestable signature will be placed in the root zone of the DNS in September 2023 and will become testable in December to allow time for the community to understand its behaviour.
This podcast is accompanied by a blog post Duane wrote recently: Adding ZONEMD protections to the root zone
Read more about the DNS, and ZONEMD on the APNIC Blog:
- The Root of the DNS revisited (2023, Geoff Huston)
- Notes from DNS OARC 38 (2022 APNIC Blog post by Geoff Huston)
- Notes from DNS OARC 35 (2021 APNIC Blog post by Geoff Huston)
- [Podcast] A look back at notable root zone changes (Duane Wessels on PING discusses three significant root zone changes over the last decade)
Subscribe and share your story
You can stream and subscribe to PING via the following channels:
If you’re interested in sharing your insights or research, please get in touch — we’re always looking for great stories from the community. And please do let us know what you think of the podcast as well as the APNIC Blog so we can keep improving.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.