Message Digest for DNS Zones
RFC 8976

Document Type RFC - Proposed Standard (February 2021; Errata)
Authors Duane Wessels  , Piet Barber  , Matt Weinberg  , Warren Kumari  , Wes Hardaker 
Last updated 2021-02-11
Replaces draft-wessels-dns-zone-digest
Stream IETF
Formats plain text html xml pdf htmlized bibtex
Reviews
Stream WG state Submitted to IESG for Publication
Document shepherd Tim Wicinski
Shepherd write-up Show (last changed 2020-07-24)
IESG IESG state RFC 8976 (Proposed Standard)
Action Holders
(None)
Consensus Boilerplate Yes
Telechat date
Responsible AD Barry Leiba
Send notices to Tim Wicinski <tjw.ietf@gmail.com>
IANA IANA review state Version Changed - Review Needed
IANA action state RFC-Ed-Ack


Internet Engineering Task Force (IETF)                        D. Wessels
Request for Comments: 8976                                     P. Barber
Category: Standards Track                                       Verisign
ISSN: 2070-1721                                              M. Weinberg
                                                                  Amazon
                                                               W. Kumari
                                                                  Google
                                                             W. Hardaker
                                                                 USC/ISI
                                                           February 2021

                      Message Digest for DNS Zones

Abstract

   This document describes a protocol and new DNS Resource Record that
   provides a cryptographic message digest over DNS zone data at rest.
   The ZONEMD Resource Record conveys the digest data in the zone
   itself.  When used in combination with DNSSEC, ZONEMD allows
   recipients to verify the zone contents for data integrity and origin
   authenticity.  This provides assurance that received zone data
   matches published data, regardless of how the zone data has been
   transmitted and received.  When used without DNSSEC, ZONEMD functions
   as a checksum, guarding only against unintentional changes.

   ZONEMD does not replace DNSSEC: DNSSEC protects individual RRsets
   (DNS data with fine granularity), whereas ZONEMD protects a zone's
   data as a whole, whether consumed by authoritative name servers,
   recursive name servers, or any other applications.

   As specified herein, ZONEMD is impractical for large, dynamic zones
   due to the time and resources required for digest calculation.
   However, the ZONEMD record is extensible so that new digest schemes
   may be added in the future to support large, dynamic zones.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8976.

Copyright Notice

   Copyright (c) 2021 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction
     1.1.  Motivation
     1.2.  Alternative Approaches
     1.3.  Design Overview
     1.4.  Use Cases
       1.4.1.  Root Zone
       1.4.2.  Providers, Secondaries, and Anycast
       1.4.3.  Response Policy Zones
       1.4.4.  Centralized Zone Data Service
       1.4.5.  General Purpose Comparison Check
     1.5.  Terminology
   2.  The ZONEMD Resource Record
     2.1.  Non-apex ZONEMD Records
     2.2.  ZONEMD RDATA Wire Format
       2.2.1.  The Serial Field
       2.2.2.  The Scheme Field
       2.2.3.  The Hash Algorithm Field
       2.2.4.  The Digest Field
     2.3.  ZONEMD Presentation Format
     2.4.  ZONEMD Example
     2.5.  Including ZONEMD RRs in a Zone
   3.  Calculating the Digest
     3.1.  Add ZONEMD Placeholder
     3.2.  Optionally, Sign the Zone
     3.3.  Scheme-Specific Processing
       3.3.1.  The SIMPLE Scheme
         3.3.1.1.  SIMPLE Scheme Inclusion/Exclusion Rules
         3.3.1.2.  SIMPLE Scheme Digest Calculation
     3.4.  Update ZONEMD RR
   4.  Verifying Zone Digest
   5.  IANA Considerations
     5.1.  ZONEMD RRtype
     5.2.  ZONEMD Scheme
     5.3.  ZONEMD Hash Algorithms
   6.  Security Considerations
     6.1.  Using Zone Digest without DNSSEC
     6.2.  Attacks against the Zone Digest
     6.3.  Use of Multiple ZONEMD Hash Algorithms
     6.4.  DNSSEC Timing Considerations
     6.5.  Attacks Utilizing ZONEMD Queries
     6.6.  Resilience and Fragility
   7.  Performance Considerations
     7.1.  SIMPLE SHA384
   8.  Privacy Considerations
   9.  References
     9.1.  Normative References
     9.2.  Informative References
   Appendix A.  Example Zones with Digests
     A.1.  Simple EXAMPLE Zone
     A.2.  Complex EXAMPLE Zone
     A.3.  EXAMPLE Zone with Multiple Digests
Show full document text