[dns-operations] Root zone operational announcement: introducing ZONEMD for the root zone

Sat Jul 22 19:10:33 UTC 2023

Hi Otto,

I see now.  My email had a typo / mistake.  Sept 6th should be Sept 13th.  

DW

> On Jul 21, 2023, at 11:48 PM, Otto Moerbeek <otto at drijf.net> wrote:
> 
> Thanks, but I'm stilll puzzled,
> 
> According to your original post the publishing of the downloadable
> root zone with a ZONEMD record starts at Sept 6. It is not clear to me
> what Hash Algorithm it will use on that date, as the date is before
> Sept 13.
> 
> -Otto
> 
> 
> On Sat, Jul 22, 2023 at 05:04:53AM +0000, Wessels, Duane wrote:
> 
>> Hi Otto,
>> 
>> From 2023-09-13 to 2023-12-06 the Hash Algorithm field of the ZONEMD record will be set to 241 (the first value in the private use range). 
>> 
>> On 2023-12-06 we will change it to Hash Algorithm 1, which is SHA-384.
>> 
>> DW
>> 
>> 
>>> On Jul 20, 2023, at 11:02 PM, Otto Moerbeek <otto at drijf.net> wrote:
>>> 
>>> Hello,
>>> 
>>> thanks you for working on this!
>>> 
>>> From the description it is not clear what the Hash Algorithm of the
>>> ZONEMD record included in the downloadable zone file will be per Sept
>>> 6th. Will this ZONEMD record also use a private algorihtm and switch
>>> to SHA-384 at a later moment? If so, when?
>>> 
>>> Thanks,
>>> 
>>> -Otto
>>> 
>>> On Wed, Jul 19, 2023 at 04:10:25PM +0000, Wessels, Duane via dns-operations wrote:
>>> 
>>>> Date: Wed, 19 Jul 2023 16:10:25 +0000
>>>> From: "Wessels, Duane" <dwessels at verisign.com>
>>>> To: Andy Smith via dns-operations <dns-operations at dns-oarc.net>
>>>> Subject: Root zone operational announcement: introducing ZONEMD for the
>>>> root zone
>>>> 
>>>> I am pleased to announce that Message Digests for DNS Zones, also known as ZONEMD, will be added to the root zone later this year.  This feature, specified in RFC 8976, adds cryptographic data protections to the zone as a whole, allowing the recipient to verify the authenticity of the zone’s contents.
>>>> 
>>>> ZONEMD will be added to the root zone using a phased approach.  On September 13, 2023, a ZONEMD record will make its first appearance in the root zone.  At this time the Hash Algorithm field will be set to a private use algorithm number, making the ZONEMD record deliberately unverifiable.
>>>> 
>>>> On December 6, 2023, the ZONEMD record will be published with the SHA-384 Hash Algorithm, thereby making it verifiable.
>>>> 
>>>> We expect no operational impacts for end users.  ZONEMD does not affect root zone queries and responses.  The root server operators have agreed to not alter their zone ingestion processes for at least a year after ZONEMD is first introduced.
>>>> 
>>>> Anyone that downloads the root zone file from http://secure-web.cisco.com/13zHe0PSUNNCJBM54qbqfvmLTQg1GfbkWLEKyj11uJKxr0cKwV4m8nmumCACCRc4TgWQiGSCfSGuab49nQ6t190PzZtdsghnWGBape45q7yscRuI72y4rVA9FKtruoIUJQOYRD6hxmpgoa0lss35RtP8oNP419dfbfY8ihpz2HiszKMFbjYaocQQtWkQRKyEoPgOCXuUYIOZH5HpdhzIBT3zEwLzflnqL6eR3vOHzkuaVR_loD-7WM4o8M-F3-mIdQ6_IU5BkH_ZZ8ZDDpoXPLuPtbA4-cR5rjj38JhobF0bvH1PXHByckj2a54_02zMz/http%3A%2F%2Fwww.internic.net or rs.internic.net should be aware that it will include the new ZONEMD resource record in its native presentation format starting on September 6th.
>>>> 
>>>> Please feel free to follow up with any questions or concerns.
>>>> 
>>>> References and further reading:
>>>> 
>>>> [1] RFC 8976: “Message Digest for DNS Zones”, https://secure-web.cisco.com/1XacvzAe3KCmD305ieQ292ovYQ65x-D9JyNQdhLvttzBjgk_MG_6FPETg8ekoItXo6qHCk148b0VNJDrijtKvnuhj8UrvfHd7HBzGvj4F4ggvNm8WmQRjo5OBRwa5Oq9zVIsC8y89tmSj2huHT0eluDy04igbLGg3IfodIUxONEjurDcYsu6e9cKU0ovYEEg-lW5fWr5WHv3k35aCnqYXpmej0QhYGklxxdrPwiuQCW49VFfxdg_MFcumelbQdTeOIBwvSoHdjUP3Cy6h-jFkMLRcMch-gtVEooh55H6OUK7QqXX-lgDEjF1Y7kfAR5xz/https%3A%2F%2Fwww.rfc-editor.org%2Frfc%2Frfc8976
>>>> [2] Root Server Operators Statement on adding ZONEMD to the root zone, https://secure-web.cisco.com/1csi7pcWnfEk3MLCMTDpMIepUdApvVU-b-tnpRX8PnOKn9nNkbrgZcZH62k21N7DUG8idMbIuxr-PBwCg3jX0SY2AegsYwVyMTfeARtd1s8147gy-akpwRWMoYlEgiJeWr4cw-JDy68YPNrnP0kNTeaWXhUsXID92S4aPLSCsW1xsNRaXBxRoeLaTw4BJnfQXdKOWbCUPpgIKwolYYobY4I0A3vwcYS-PnVIxOcaCMe3k8haS7ZzAP0Udcs1prvi9xIIdE3FL1lXocAMOJeZiNlri6V4KDKge_hGAMm32TFeDk5oC_eoM68noNMSAjTCI/https%3A%2F%2Froot-servers.org%2Fmedia%2Fnews%2F2022-08-Statement_on_ZONEMD.pdf
>>>> [3] RZERC003: “Adding Zone Data Protections to the Root Zone”, https://secure-web.cisco.com/12BOkeZeIXXEc8bHPskskIPYYEB5j6atSHInZVGViHpuEsWFd3i3ORxxQF3d-hBwCUZsL9QLcUDwYl0JO1OMo_1bDLdiEr6SE4gT85zTFYDCN-Y3z0bBPvh6FYjzXltQy1zQY4L4-Z3BrnqpukWZRGIr3SkjWMkw8638PhkW8B41dLIS-IHIwqzAAvoY3lvNNWBJ-Eqon1isiSlBcfFrjJmbexUozG_3TRgPeaPMfzWUYfAAXeJ3wuOe3ym7K6QjqtXdi1KbHhX8_0K0hKVLNAoQ3kqKE8jzExHxgqEJtBrAU-pw_Zd23n-_lt66FBC13/https%3A%2F%2Fwww.icann.org%2Fuploads%2Fckeditor%2Frzerc-003-en.pdf
>>>> [4] Verisign Blog: “Adding ZONEMD Protections to the Root Zone”, https://blog.verisign.com/security/root-zone-zonemd/
>>>> [5] APNIC Ping Podcast episode “Adding ZONEMD protections to the root zone”, https://secure-web.cisco.com/18iOqVl2cAOdTphmSsXOmBUjIRxkAH7WRakcRt_PS4P13-NQr-6u5XqSCjbCDss9R8Zm5S3akf5o1AEq5ib0ezfpX-l0Ev3ZXbLj2p-WCMQHti2hedZNF99ok0C33OrnviXVDn5Qnrqa7BnBIP9ec38evs3V4ucParLvxRoMmYIY9lA_-GuAvcWpDTLphlhWTXXbV7LNUzprP0MOKGCw67sbVz5VX98v7N1bGZuGQrft-PzTS_P_oa9i2NA8ZI4niQK7xED4v8dKK4NXNyTRJjvBEPGQ-D9B0oVzmxsdbpxZ4fBuLUe1gpXI84O4zX3Ap/https%3A%2F%2Fblubrry.com%2Fping_podcast%2F108940688%2Fadding-zonemd-protections-to-the-root-zone%2F
>>>> 
>>>> 
>>>> DW
>>>> 
>>>> 
>>> 
>>>> _______________________________________________
>>>> dns-operations mailing list
>>>> dns-operations at lists.dns-oarc.net
>>>> https://secure-web.cisco.com/1AlQYdWZx2loSVTq_AB_fzLxTrTb-Nd6IEjAd_y2775l_wu1kaDjoUoRry_Tb0oES_eZp25PwfZOEJq8FuVaPku1-YCm8J_6Xvs__jOJbIcOhLaTeasRGcLi7ZD0Cv_90gwBiJHypZWaSYhy1ij1DEfbAJ7X_ztB_u579dqifOOAeGwI0MiEs59hYw76qcTVbag0q4u7D2yT-BoGCLtQY_r6arvN5lt9cjF3k356TwWPlvb3vWA8BSo5TNRvyaB_qJIeKFz5sWtp72Icpz3ByqFSGfadBYur0xIXQsUJuzz6WXpWyKiBkryHiJ5fRUHbP/https%3A%2F%2Flists.dns-oarc.net%2Fmailman%2Flistinfo%2Fdns-operations
>>> 
>> 