{"draft":"draft-ietf-dnsop-dns-zone-digest-14","doc_id":"RFC8976","title":"Message Digest for DNS Zones","authors":["D. Wessels","P. Barber","M. Weinberg","W. Kumari","W. Hardaker"],"format":["HTML","TEXT","PDF","XML"],"page_count":"31","pub_status":"PROPOSED STANDARD","status":"PROPOSED STANDARD","source":"Domain Name System Operations","abstract":"This document describes a protocol and new DNS Resource Record that\r\nprovides a cryptographic message digest over DNS zone data at rest.\r\nThe ZONEMD Resource Record conveys the digest data in the zone\r\nitself. When used in combination with DNSSEC, ZONEMD allows\r\nrecipients to verify the zone contents for data integrity and origin\r\nauthenticity. This provides assurance that received zone data matches\r\npublished data, regardless of how the zone data has been transmitted\r\nand received.  When used without DNSSEC, ZONEMD functions as a\r\nchecksum, guarding only against unintentional changes. \r\n\r\nZONEMD does not replace DNSSEC: DNSSEC protects individual RRsets\r\n(DNS data with fine granularity), whereas ZONEMD protects a zone's\r\ndata as a whole, whether consumed by authoritative name servers,\r\nrecursive name servers, or any other applications. \r\n\r\nAs specified herein, ZONEMD is impractical for large, dynamic zones\r\ndue to the time and resources required for digest calculation.\r\nHowever, the ZONEMD record is extensible so that new digest schemes\r\nmay be added in the future to support large, dynamic zones.","pub_date":"February 2021","keywords":["DNS","DNSSEC","Checksum","Hash","Zone Transfer"],"obsoletes":[],"obsoleted_by":[],"updates":[],"updated_by":[],"see_also":[],"doi":"10.17487\/RFC8976","errata_url":"https:\/\/www.rfc-editor.org\/errata\/rfc8976"}