[lacnog] Fwd: [dns-operations] Root zone operational announcement: introducing ZONEMD for the root zone

Hugo Salgado hsalgado en vulcano.cl
Mie Oct 4 18:39:31 -03 2023 

On 18:18 19/07, Hugo Salgado wrote:
> Una cosa importante es que los procesos que hagan parseo de la zona
> raíz deberían verificar que tengan soporte al tipo ZONEMD, para evitar
> errores. Hay algunas librerías que se mueren en presencia de un tipo
> desconocido.

Y... Cloudflare fue la primera víctima (al menos conocida) :'(
  https://blog.cloudflare.com/1-1-1-1-lookup-failures-on-october-4th-2023/

Hugo

> 
> Acá hay una zona raíz de ejemplo con el registro tal como vendrá:
>   http://zonemd-testing.verisignlabs.com/2023010102/root.zone-test-SHA384.zonemd
> 
> Hugo
> 
> On 14:09 19/07, Nicolas Antoniello wrote:
> > FYI
> > 
> > 
> > 
> > 
> > ---------- Forwarded message ----------
> > From: "Wessels, Duane"
> > Date: Wed, 19 Jul 2023 16:10:25 +0000
> > Subject: Root zone operational announcement: introducing ZONEMD for the
> > root zone
> > 
> > I am pleased to announce that Message Digests for DNS Zones, also known as
> > ZONEMD, will be added to the root zone later this year.  This feature,
> > specified in RFC 8976, adds cryptographic data protections to the zone as a
> > whole, allowing the recipient to verify the authenticity of the zone’s
> > contents.
> > 
> > ZONEMD will be added to the root zone using a phased approach.  On
> > September 13, 2023, a ZONEMD record will make its first appearance in the
> > root zone.  At this time the Hash Algorithm field will be set to a private
> > use algorithm number, making the ZONEMD record deliberately unverifiable.
> > 
> > On December 6, 2023, the ZONEMD record will be published with the SHA-384
> > Hash Algorithm, thereby making it verifiable.
> > 
> > We expect no operational impacts for end users.  ZONEMD does not affect
> > root zone queries and responses.  The root server operators have agreed to
> > not alter their zone ingestion processes for at least a year after ZONEMD
> > is first introduced.
> > 
> > Anyone that downloads the root zone file from www.internic.net or
> > rs.internic.net should be aware that it will include the new ZONEMD
> > resource record in its native presentation format starting on September 6th.
> > 
> > Please feel free to follow up with any questions or concerns.
> > 
> > References and further reading:
> > 
> > [1] RFC 8976: “Message Digest for DNS Zones”,
> > https://www.rfc-editor.org/rfc/rfc8976
> > [2] Root Server Operators Statement on adding ZONEMD to the root zone,
> > https://root-servers.org/media/news/2022-08-Statement_on_ZONEMD.pdf
> > [3] RZERC003: “Adding Zone Data Protections to the Root Zone”,
> > https://www.icann.org/uploads/ckeditor/rzerc-003-en.pdf
> > [4] Verisign Blog: “Adding ZONEMD Protections to the Root Zone”,
> > https://blog.verisign.com/security/root-zone-zonemd/
> > [5] APNIC Ping Podcast episode “Adding ZONEMD protections to the root
> > zone”,
> > https://blubrry.com/ping_podcast/108940688/adding-zonemd-protections-to-the-root-zone
> 
> > _______________________________________________
> > LACNOG mailing list
> > LACNOG en lacnic.net
> > https://mail.lacnic.net/mailman/listinfo/lacnog
> > Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
> 
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog

Más información sobre la lista de distribución LACNOG