[lacnog] Fwd: [dns-operations] Root zone operational announcement: introducing ZONEMD for the root zone
Hugo Salgado
hsalgado en vulcano.cl
Mie Jul 19 19:18:13 -03 2023
Una cosa importante es que los procesos que hagan parseo de la zona
raíz deberían verificar que tengan soporte al tipo ZONEMD, para evitar
errores. Hay algunas librerías que se mueren en presencia de un tipo
desconocido.
Acá hay una zona raíz de ejemplo con el registro tal como vendrá:
http://zonemd-testing.verisignlabs.com/2023010102/root.zone-test-SHA384.zonemd
Hugo
On 14:09 19/07, Nicolas Antoniello wrote:
> FYI
>
>
>
>
> ---------- Forwarded message ----------
> From: "Wessels, Duane"
> Date: Wed, 19 Jul 2023 16:10:25 +0000
> Subject: Root zone operational announcement: introducing ZONEMD for the
> root zone
>
> I am pleased to announce that Message Digests for DNS Zones, also known as
> ZONEMD, will be added to the root zone later this year. This feature,
> specified in RFC 8976, adds cryptographic data protections to the zone as a
> whole, allowing the recipient to verify the authenticity of the zone’s
> contents.
>
> ZONEMD will be added to the root zone using a phased approach. On
> September 13, 2023, a ZONEMD record will make its first appearance in the
> root zone. At this time the Hash Algorithm field will be set to a private
> use algorithm number, making the ZONEMD record deliberately unverifiable.
>
> On December 6, 2023, the ZONEMD record will be published with the SHA-384
> Hash Algorithm, thereby making it verifiable.
>
> We expect no operational impacts for end users. ZONEMD does not affect
> root zone queries and responses. The root server operators have agreed to
> not alter their zone ingestion processes for at least a year after ZONEMD
> is first introduced.
>
> Anyone that downloads the root zone file from www.internic.net or
> rs.internic.net should be aware that it will include the new ZONEMD
> resource record in its native presentation format starting on September 6th.
>
> Please feel free to follow up with any questions or concerns.
>
> References and further reading:
>
> [1] RFC 8976: “Message Digest for DNS Zones”,
> https://www.rfc-editor.org/rfc/rfc8976
> [2] Root Server Operators Statement on adding ZONEMD to the root zone,
> https://root-servers.org/media/news/2022-08-Statement_on_ZONEMD.pdf
> [3] RZERC003: “Adding Zone Data Protections to the Root Zone”,
> https://www.icann.org/uploads/ckeditor/rzerc-003-en.pdf
> [4] Verisign Blog: “Adding ZONEMD Protections to the Root Zone”,
> https://blog.verisign.com/security/root-zone-zonemd/
> [5] APNIC Ping Podcast episode “Adding ZONEMD protections to the root
> zone”,
> https://blubrry.com/ping_podcast/108940688/adding-zonemd-protections-to-the-root-zone
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
Más información sobre la lista de distribución LACNOG