The Domain Name System (DNS) Root Zone adds an additional layer of security

The Domain Name System (DNS) root zone, which is a crucial part of the global DNS is soon to be receiving a new record type, called ZONEMD. This new protocol, developed by Verisign and set out in RFC 8976, calls for a cryptographic digest of the zone data to be embedded into the zone itself. This is further aimed at ensuring the security, stability, and resiliency of the global DNS in the face of emerging new approaches to DNS operation.

The root zone contains delegations to nearly 1,500 top-level domains, such as .com, .net, .org, and many others. By including the ZONEMD record, recipients are able to verify the authenticity of the zone data before using it. The Internet Engineering Task Force (IETF) and the Internet Corporation for Assigned Names and Numbers (ICANN) contributed towards the development of ZONEMD by preparing the implementation.

Verisign, ICANN, and the Root Server Operators are taking steps to ensure that the addition of the record does not impact the ability of the root server system. The root zone is stored and served as a file on the internic.net FTP and web servers, and the ZONEMD record will appear in these files using its native presentation format.

Deploying ZONEMD in the root zone helps to increase the security, stability, and resiliency of the Domain Name System. The developers of BIND (open source software used to interact with DNS) implemented the ZONEMD protocol based on an early draft. The initial deployment of ZONEMD in the root zone is currently targeted for September 13, 2023, and the date to begin using the SHA-384 hash algorithm is targeted for December 6, 2023