DNSSEC

From TLDinfo
Jump to: navigation, search

The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.


Contents

Required parameters

  • RRP KeyData Parameter:
    DNSSEC# = <flags> <protocol> <algorithm> <pubkey>


  • RRP DSData Parameter:
    DNSSECDSDATA# = <keytag> <algorithm> <digestType> <digest>
    • Keytag: 0 – 65535
      Algorithm: 2,3,4,5,6,7,8,10,12,13,14 http://tools.ietf.org/html/rfc4034#appendix-A.1
      DigestType: 1 (SHA-1), 2 (SHA-256), 3 (GOST R 34.11-94), 4 (SHA-384)
      Digest: <Holds the digest>
    • DSDATA can be used as an alternative for all registries, which do not require KEYDATA

Commands

API

Here are some examples commands how DNSSEC could be added or modified:

  • AddDomain:
[COMMAND]
(required)                
command         = AddDomain
domain          = test-dnssec.org
ownercontact0   = P-JYC21
admincontact0   = P-JYC21
billingcontact0 = P-JYC21
techcontact0    = P-JYC21
dnssec0         = 256 3 8 AwEAAdDECajHaTjfSoNTY58WcBah1Bx
nameserver0     = ns-dev.domaindiscount24.net
                
EOF
  • StatusDomain:
[COMMAND]
(required)                    
command             = StatusDomain
domain              = test-dnssec.org
                    
[RESPONSE]          = 
code                = 200
description         = Command completed successfully
...                 
property[dnssec][0] = 256 3 8 AwEAAdDECajHaTjfSoNTY58WcBah1Bx
                    
EOF
  • ModifyDomain:
[COMMAND]
(required)            
command     = ModifyDomain
domain      = test-dnssec.org
deldnssec0  = 256 3 8 AwEAAdDECajHaTjfSoNTY58WcBah1Bx
adddnssec0  = 256 3 8 substitute
            
[RESPONSE]  = 
code        = 200
description = Command completed successfully
            
EOF
[COMMAND]
(required)            
command     = ModifyDomain
domain      = test-dnssec.org
dnssec0     = 256 3 8 different
            
[RESPONSE]  = 
code        = 200
description = Command completed successfully
            
EOF
Attention.png If only "dnssec0" or the alias "dnssec" is used, the values of "dnssec1" and "dnssec2" will be deleted.
e.g.: Even if
"dnssec0" and "dnssec1" are given, the "dnssec2" value will be deleted.



To remove the complete DNSSEC information use a ModifyDomain command with the parameter DNSSECDELALL, which will delete all entries at the registry:

[COMMAND]
(required)             
command      = ModifyDomain
domain       = test-dnssec.org
DNSSECDELALL = 1
             
EOF

EPP

Example DS Data Interface and Key Data Interface ( rfc5910#section-4.3 )

  Example use of the secDNS-1.1 DS Data Interface for a create:
<secDNS:dsData> <secDNS:keyTag>12345</secDNS:keyTag> <secDNS:alg>3</secDNS:alg> <secDNS:digestType>1</secDNS:digestType> <secDNS:digest>49FD46E6C4B45C55D4AC</secDNS:digest> </secDNS:dsData>
  Example use of secDNS-1.1 DS Data Interface with option key data for a create:
<secDNS:dsData> <secDNS:keyTag>12345</secDNS:keyTag> <secDNS:alg>3</secDNS:alg> <secDNS:digestType>1</secDNS:digestType> <secDNS:digest>49FD46E6C4B45C55D4AC</secDNS:digest> <secDNS:keyData> <secDNS:flags>257</secDNS:flags> <secDNS:protocol>3</secDNS:protocol> <secDNS:alg>1</secDNS:alg> <secDNS:pubKey>AQPJ////4Q==</secDNS:pubKey> </secDNS:keyData> </secDNS:dsData>
  Example use of the secDNS-1.1 Key Data Interface for a create:
<secDNS:keyData> <secDNS:flags>257</secDNS:flags> <secDNS:protocol>3</secDNS:protocol> <secDNS:alg>1</secDNS:alg> <secDNS:pubKey>AQPJ////4Q==</secDNS:pubKey> </secDNS:keyData>


List of supported TLDs

A list of the currently supported TLDs, within the RRPproxy, can be found at the category page Supports_DNSSEC.


Upcoming DNSSEC TLDs

The DNSSEC support of the following TLDs will be implemented soon:
currently none


Common Errors

Please make sure that your pubkey does not contain any blanks/whitespaces.

Personal tools
Namespaces

Variants
Actions
Resources
new gTLDs
Products
New Users
General
Tools