The ZONEMD record (Zone Message Digest) provides cryptographic verification of DNS zone integrity. Defined in RFC 8976, it allows recipients of zone data to verify that the zone contents have not been modified during transfer or storage.
Check ZONEMD records for any domain using our free DNS lookup tool.
Look Up ZONEMD Records →ZONEMD provides a cryptographic hash (digest) of the entire DNS zone contents. This enables:
example.com. 3600 IN ZONEMD 2024040100 1 1 abc123...digest...
Serial: 2024040100, Scheme: 1 (SIMPLE), Hash Algorithm: 1 (SHA-384)
| Field | Description | Example |
|---|---|---|
| Serial | SOA serial number covered | 2024040100 |
| Scheme | Digest scheme (1 = SIMPLE) | 1 |
| Hash Algorithm | Hash algorithm used | 1 (SHA-384), 2 (SHA-512) |
| Digest | Cryptographic hash of zone | Base16 encoded hash |
| Value | Algorithm | Status |
|---|---|---|
| 1 | SHA-384 | Mandatory |
| 2 | SHA-512 | Optional |
The IANA root zone includes ZONEMD, allowing anyone to verify their copy:
. 86400 IN ZONEMD 2024040100 1 1 ...
Verify AXFR/IXFR transfers completed without corruption:
example.com. ZONEMD 2024040100 1 1 abc123...
Sign zones in an air-gapped environment and verify integrity when published.
| Aspect | ZONEMD | DNSSEC |
|---|---|---|
| Protects | Entire zone integrity | Individual record authenticity |
| Granularity | Whole zone | Per-RRset |
| Use case | Transfer/storage verification | Query response authentication |
| Online validation | Not typically | Yes, per query |
Common issues and solutions:
DNS Explorer validates ZONEMD digests, checks zone consistency, and monitors for integrity issues.
Start free DNS Explorer trial14-day full-feature trial
Use our DNS Record Finder to look up ZONEMD records for any domain.
Look Up ZONEMD Records →