Root zone operational announcement: introducing ZONEMD for the root zone
dwessels at verisign.com
Wed Jul 19 16:10:25 UTC 2023
I am pleased to announce that Message Digests for DNS Zones, also known as ZONEMD, will be added to the root zone later this year. This feature, specified in RFC 8976, adds cryptographic data protections to the zone as a whole, allowing the recipient to verify the authenticity of the zone’s contents.
ZONEMD will be added to the root zone using a phased approach. On September 13, 2023, a ZONEMD record will make its first appearance in the root zone. At this time the Hash Algorithm field will be set to a private use algorithm number, making the ZONEMD record deliberately unverifiable.
On December 6, 2023, the ZONEMD record will be published with the SHA-384 Hash Algorithm, thereby making it verifiable.
We expect no operational impacts for end users. ZONEMD does not affect root zone queries and responses. The root server operators have agreed to not alter their zone ingestion processes for at least a year after ZONEMD is first introduced.
Anyone that downloads the root zone file from www.internic.net or rs.internic.net should be aware that it will include the new ZONEMD resource record in its native presentation format starting on September 6th.
Please feel free to follow up with any questions or concerns.
References and further reading:
 RFC 8976: “Message Digest for DNS Zones”, https://www.rfc-editor.org/rfc/rfc8976
 Root Server Operators Statement on adding ZONEMD to the root zone, https://root-servers.org/media/news/2022-08-Statement_on_ZONEMD.pdf
 RZERC003: “Adding Zone Data Protections to the Root Zone”, https://www.icann.org/uploads/ckeditor/rzerc-003-en.pdf
 Verisign Blog: “Adding ZONEMD Protections to the Root Zone”, https://blog.verisign.com/security/root-zone-zonemd/
 APNIC Ping Podcast episode “Adding ZONEMD protections to the root zone”, https://blubrry.com/ping_podcast/108940688/adding-zonemd-protections-to-the-root-zone/
More information about the dns-operations