How is ZONEMD different from DNSSEC?

DNSSEC signs individual record sets for per-query authentication. ZONEMD provides a hash of the entire zone for verifying complete zone integrity. They serve different purposes and are often used together.

Which hash algorithm should I use for ZONEMD?

SHA-384 (algorithm 1) is mandatory to implement and recommended. SHA-512 (algorithm 2) is optional. The digest must match the zone's SOA serial number.

Does the root zone use ZONEMD?

Yes, IANA publishes ZONEMD for the root zone, allowing anyone to verify their copy of the root zone hasn't been corrupted. This is especially useful for local root zone copies.

ZONEMD Record DNSSEC

Q: What is a ZONEMD record?

A ZONEMD (Zone Message Digest) record provides a cryptographic hash of the entire DNS zone, enabling verification that zone contents haven't been modified during transfer or storage. Defined in RFC 8976.

The ZONEMD record (Zone Message Digest) provides cryptographic verification of DNS zone integrity. Defined in RFC 8976, it allows recipients of zone data to verify that the zone contents have not been modified during transfer or storage.

Look Up ZONEMD Records

Check ZONEMD records for any domain using our free DNS lookup tool.

Look Up ZONEMD Records →

What Is a ZONEMD Record?

ZONEMD provides a cryptographic hash (digest) of the entire DNS zone contents. This enables:

Zone integrity verification — Detect tampering or corruption
Transfer validation — Verify zone transfers completed correctly
Offline signing — Sign zones offline and verify integrity later
Root zone distribution — Verify root zone copies

ZONEMD Record Format

Example ZONEMD Record

example.com.    3600    IN    ZONEMD    2024040100 1 1 abc123...digest...

Serial: 2024040100, Scheme: 1 (SIMPLE), Hash Algorithm: 1 (SHA-384)

ZONEMD Record Fields

Field	Description	Example
Serial	SOA serial number covered	2024040100
Scheme	Digest scheme (1 = SIMPLE)	1
Hash Algorithm	Hash algorithm used	1 (SHA-384), 2 (SHA-512)
Digest	Cryptographic hash of zone	Base16 encoded hash

Hash Algorithms

Value	Algorithm	Status
1	SHA-384	Mandatory
2	SHA-512	Optional

How ZONEMD Works

Zone administrator creates or updates the zone
ZONEMD digest is computed over all zone records (except ZONEMD itself)
ZONEMD record is added to zone with matching SOA serial
Zone is signed with DNSSEC (if applicable)
Recipients can verify zone integrity by recomputing digest

ZONEMD Use Cases

Root Zone Verification

The IANA root zone includes ZONEMD, allowing anyone to verify their copy:

.    86400    IN    ZONEMD    2024040100 1 1 ...

Zone Transfer Integrity

Verify AXFR/IXFR transfers completed without corruption:

example.com.    ZONEMD    2024040100 1 1 abc123...

Offline Zone Signing

Sign zones in an air-gapped environment and verify integrity when published.

ZONEMD vs DNSSEC

Aspect	ZONEMD	DNSSEC
Protects	Entire zone integrity	Individual record authenticity
Granularity	Whole zone	Per-RRset
Use case	Transfer/storage verification	Query response authentication
Online validation	Not typically	Yes, per query

ZONEMD Best Practices

Match SOA serial — ZONEMD serial must match zone's SOA serial.
Use with DNSSEC — Sign ZONEMD for authenticity verification.
Update on zone changes — Recompute digest when zone content changes.
Use SHA-384 minimum — SHA-384 is mandatory to implement.
Verify before deployment — Always verify digest before publishing.

Troubleshooting ZONEMD

Common issues and solutions:

Digest mismatch — Zone was modified after digest computation.
Serial mismatch — ZONEMD serial doesn't match current SOA serial.
Unsupported algorithm — Verify resolver/tool supports the hash algorithm.
Verification fails after transfer — Transfer may have corrupted data.

Check Your ZONEMD Records

Use our DNS Record Finder to look up ZONEMD records for any domain.