A New Data Protection Mechanism for the Root Zone

By the end of this year, the Domain Name System (DNS) root zone will carry with it additional data that will provide a new mechanism for network operators to validate its contents. The new mechanism relies on a standardized "message digest" a mathematical method for software to validate that it has a complete copy of the data without corruption. The representation of this message digest data in the root zone — known as a "ZONEMD" record — will look indecipherable, but provides the information that the software needs to validate the root zone's contents:

. 86400 IN ZONEMD 2023091300 1 1 (
     7EB1A7B641A47BA7FED2DD5B97AE499FAFA4F22C6BD647DE )

A Phased Approach

To roll out this new functionality, on 13 September 2023, the root zone will start being published with the new message digest data. For the first few months, the message digest will be intentionally not verifiable. Much as when Domain Name System Security Extensions (DNSSEC) was added to the root zone in 2010, this is an opportunity to identify if there is any significant software that has issues with the new record, before anyone relies on its existence.

After providing the record for a few months, it is anticipated that on 6 December 2023 the root zone will start to be published with a fully verifiable ZONEMD record. From this point, anyone who downloads a complete copy of the root zone can use this mechanism to confirm that they have an accurate reproduction before they make use of it.

The Impact On You

Unless you have a specific use case that will benefit from ZONEMD, this change will have no impact on you. Day-to-day operation of the root zone is unaffected and conventional DNS usage will continue to function as always. ZONEMD does however enable enhanced safeguards for applications, such as resolvers using the "hyperlocal" technique, which rely on downloading copies of the root zone to function.

The Role Of The Root Zone Evolution Review Committee

The introduction of ZONEMD is the first piece of new functionality in the root zone that was recommended by the Root Zone Evolution Review Committee (RZERC). This committee was established in 2016, and is composed of representatives from many ICANN community groups who provide advice to ICANN on significant architectural and operational changes to the root zone. RZERC's advice supported implementing ZONEMD in the root zone. The advice also encouraged software implementers to implement ZONEMD and consider enabling it by default for locally served root zone data.

For Network Operators

Our root zone management partner, Verisign, has posted notifications to key DNS operational communities about the specifics of the rollout. We will continue to work closely with them to monitor any experiences caused by these changes and tailor our operational plans accordingly.