Search RFCs

RFC Editor

File formats:

Also available:XML file for editing

 

Status:

PROPOSED STANDARD

Authors:

D. Wessels
P. Barber
M. Weinberg
W. Kumari
W. Hardaker

Stream:

IETF

Source:

dnsop (ops)

Cite this RFC:TXT  | XML  |  BibTeX

DOI:  https://doi.org/10.17487/RFC8976

Discuss this RFC: Send questions or comments to the mailing listdnsop@ietf.org

Other actions:View Errata  | Submit Errata  | Find IPR Disclosures from the IETF  | View History of RFC 8976

Abstract

This document describes a protocol and new DNS Resource Record thatprovides a cryptographic message digest over DNS zone data at rest.The ZONEMD Resource Record conveys the digest data in the zoneitself. When used in combination with DNSSEC, ZONEMD allowsrecipients to verify the zone contents for data integrity and originauthenticity. This provides assurance that received zone data matchespublished data, regardless of how the zone data has been transmittedand received. When used without DNSSEC, ZONEMD functions as achecksum, guarding only against unintentional changes.

ZONEMD does not replace DNSSEC: DNSSEC protects individual RRsets(DNS data with fine granularity), whereas ZONEMD protects a zone'sdata as a whole, whether consumed by authoritative name servers,recursive name servers, or any other applications.

As specified herein, ZONEMD is impractical for large, dynamic zonesdue to the time and resources required for digest calculation.However, the ZONEMD record is extensible so that new digest schemesmay be added in the future to support large, dynamic zones.

For the definition ofStatus,seeRFC 2026.

For the definition ofStream, seeRFC 8729.