Historical Resolution Tracking Feature » RZERC003: Adding Zone Data Protections to the Root Zone

Important note: The explanatory text provided through this database (including the summary, implementation actions, identification of related resolutions, and additional information) is an interpretation or an explanation that has no official authority and does not represent the purpose behind the Board actions, nor does any explanations or interpretations modify or override the Resolutions themselves. Resolutions can only be modified through further act of the ICANN Board.

RZERC003: Adding Zone Data Protections to the Root Zone


Resolution of the ICANN Board
Meeting Date: 
Thu, 24 Feb 2022
Resolution Number: 
2022.02.24.01 – 2022.02.24.03
Resolution Text: 

Whereas, in February 2021, the Internet Engineering Task Force (IETF) produced RFC 8976 documenting a new technique for verifying the contents of Domain Name System (DNS) zone files: Message Digests for DNS Zones (aka "ZONEMD").

Whereas, on 12 February 2021, the ICANN Root Zone Evolution Review Committee (RZERC) published RZERC003: Adding Zone Data Protections to the Root Zone containing three recommendations to ICANN in support of implementing the ZONEMD protocol in the DNS root zone.

Whereas, the Board Technical Committee (BTC) has considered RZERC003 and ICANN org's feasibility assessment of implementation of the recommendations and found that implementing the recommendations would be in alignment with ​ICANN's strategic ​goals and mission to ensure the stable and secure operation of the Internet's unique identifier systems.

Resolved (2022.02.24.01) the Board accepts Recommendation 1 calling for ICANN org to engage with the Root Zone Maintainer and the Root Server operators to ensure the addition of a ZONEMD resource record to the root zone will not negatively impact the distribution of root zone data within the Root Server System, and directs the ICANN President and CEO, or his designee(s), to implement this recommendation.

Resolved (2022.02.24.02) the Board accepts Recommendation 2 calling for ICANN org to engage with relevant technical bodies to raise awareness of the plan for the deployment of ZONEMD in the root zone, and directs the ICANN President and CEO, or their designee(s), to implement this recommendation.

Resolved (2022.02.24.03) the Board accepts Recommendation 4 calling for ICANN org to develop a plan for deploying ZONEMD in the root zone with its contractors and make the plan available to RZERC for review, and directs the ICANN President and CEO, or his designee(s), to implement this recommendation.

Rationale for Resolution: 

Why is the Board addressing the issue?

The Board is taking action on advice from the RZERC. The RZERC reviews proposed architectural changes to the content of the DNS root zone, the systems including both hardware and software components used in executing changes to the DNS root zone, and the mechanisms used for distribution of the DNS root zone. The Board's consideration of this advice forms a part of the Action Request Register (ARR) process designed to manage community requests to the Board and ICANN org in a consistent, efficient, and transparent manner.

What is the proposal being considered?

In February 2021, the Internet Engineering Task Force (IETF) produced RFC 8976 documenting a new technique for verifying the contents of DNS zone files, known as Message Digests for DNS Zones, or ZONEMD. The RZERC considered a proposal to implement ZONEMD in the root zone at the request of the Root Zone Maintainer and published RZERC003 on 12 February 2021. RZERC003 contains four recommendations in support of implementing the ZONEMD protocol in the DNS root zone:

Recommendation 1: The root zone maintainer and root server operators should verify and confirm that the addition of a ZONEMD resource record will in no way negatively impact the distribution of root zone data within the RSS.

Recommendation 2: The DNS and Internet community should be made aware of plans to use ZONEMD in the root zone, and be given an opportunity to offer feedback. This may include technical presentations at meetings hosted by ICANN, the DNS Operations Analysis and Research Center (DNS-OARC), the North American Network Operators' Group (NANOG), the Réseaux IP Européens (RIPE), etc.

Recommendation 3: Developers of name server software are encouraged to implement ZONEMD and consider enabling it by default when the software is configured to locally serve root zone data. The Board is not taking action on Recommendation 3 as it is not directed at ICANN.

Recommendation 4: Public Technical Identifiers (PTI) and the RZM should jointly develop a plan for deploying ZONEMD in the root zone, and make this plan available for review by RZERC.

Which stakeholders or others were consulted?

RZERC003 was created and edited by members of the RZERC. The RZERC is comprised of representatives from:

Internet Engineering Task Force (IETF)
Address Supporting Organization (ASO)
Country Code Names Supporting Organization (ccNSO)
ICANN Board
Public Technical Identifiers (PTI)
Registries Stakeholder Group of the Generic Names Supporting Organization (RySG)
Root Server System Advisory Committee (RSSAC)
Security and Stability Advisory Committee (SSAC)
Verisign as the Root Zone Maintainer
What concerns or issues were raised by the community?

No concerns or issues raised.

Are there positive or negative community impacts?

Implementation is expected to have positive community impacts by implementing additional security mechanisms for the dissemination of the DNS root zone. No negative impacts have been identified.

What significant materials did the Board review?

The Board reviewed RZERC003 produced by the RZERC and RFC 8976 produced by the IETF. In addition, for each recommendation presented in this resolution the Board considered ICANN org's understanding of the recommendation as confirmed by the RZERC and ICANN org's feasibility assessment of implementation.

Are there fiscal impacts or ramifications on ICANN (strategic plan, operating plan, budget); the community; and/or the public?

The cost for ICANN org is anticipated to be low, and includes expenditure associated with project management, administration, and outreach efforts. These costs are incorporated into the Office of the Chief Technology Officer (OCTO) budget as part of normal activities.

Are there any security, stability or resiliency issues relating to the DNS?

ZONEMD is a new technique for verifying the contents of DNS zone files. If deployed in the root zone, ZONEMD is expected to provide additional data integrity protections, particularly for emerging applications such as hyperlocal root zone distribution.

Is this action within ICANN's Mission? How does it relate to the global public interest?

This action is within ICANN's mission and serves the global public interest as implementation is expected to provide additional data integrity protections in the root zone.

Is this either a defined policy process within ICANN's Supporting Organizations or ICANN's Organizational Administrative Function decision requiring Public Comment or not requiring Public Comment?

This action does not require Public Comment.