Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
DNS root zone
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Data protection of the root zone== ===Signing of the root zone=== Since July 2010, the root zone has been signed with a [[DNSSEC]] signature,<ref>{{cite web|url=http://www.root-dnssec.org/|title=Root DNSSEC: Information about DNSSEC for the Root Zone|publisher=Internet Corporation For Assigned Names and Numbers|access-date=March 19, 2014}}</ref> providing a single [[trust anchor]] for the Domain Name System that can in turn be used to provide a trust anchor for other [[public key infrastructure]] (PKI). The root zone DNSKEY section is re-signed periodically with the root zone [[Domain_Name_System_Security_Extensions#Key_management|key signing key]] performed in a verifiable manner in front of witnesses in a [[Key ceremony|key signing ceremony]].<ref>{{cite web|url=https://www.icann.org/news/announcement-2-2010-06-07-en |title=First KSK Ceremony |publisher=Internet Corporation For Assigned Names and Numbers |date=April 18, 2010 |access-date=October 19, 2014 |url-status=dead |archive-url=https://web.archive.org/web/20150414231507/https://www.icann.org/news/announcement-2-2010-06-07-en |archive-date=April 14, 2015 }}</ref><ref>{{cite web|url=https://www.iana.org/dnssec/ceremonies|title=Root KSK Ceremonies|publisher=Internet Assigned Numbers Authority|date=November 12, 2015|access-date=November 17, 2015}}</ref> The KSK2017 with ID 20326 is valid as of 2020. ===ZONEMD record=== While the root zone file is signed with DNSSEC, some DNS records, such as NS records, are not covered by DNSSEC signatures. To address this weakness, a new DNS Resource Record, called ZONEMD, was introduced in [https://www.rfc-editor.org/rfc/rfc8976 RFC 8976]. ZONEMD doesn't replace DNSSEC. ZONEMD and DNSSEC must be used together to ensure the full protection of the DNS root zone file.<ref>{{cite web |last1=Wessels |first1=Duane |title=Adding ZONEMD Protections to the Root Zone |url=https://blog.verisign.com/security/root-zone-zonemd/ |website=Verisign Blog |date=April 18, 2023}}</ref><ref>{{cite web |author1=D. Wessels |author2=P. Barber |author3=M. Weinberg |author4=W. Kumari |author5=W. Hardaker |title=RFC 8976 Message Digest for DNS Zones |url=https://www.rfc-editor.org/rfc/rfc8976 |access-date=10 March 2024 |date=February 2021}}</ref> The ZONEMD deployment for the DNS root zone was completed on December 6, 2023.<ref>{{cite web |last1=Wessels |first1=Duane |title=[dns-operations] Root zone operational announcement: introducing ZONEMD for the root zone |url=https://lists.dns-oarc.net/pipermail/dns-operations/2023-December/022388.html |access-date=10 March 2024 |date=2023-12-06}}</ref> ===DNS over TLS=== The B-Root DNS servers offer experimental support for [[DNS over TLS]] (DoT) on port 853.<ref>{{cite web|url=https://b.root-servers.org/news/2023/02/28/tls.html|title=B-Root Offers Experimental Support for DNS over TLS}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)