The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.
DNSSEC
Required parameters
RRP KeyData Parameter:
- DNSSEC# = <flags> <protocol> <algorithm> <pubkey>
- Flags: 256, 257
- Protocol: 3 (DNSSEC)
- Algorithm: 2, 3, 4, 5, 6, 7, 8, 10, 12, 13, 14, 15, 16 http://tools.ietf.org/html/rfc4034#appendix-A.1
- Pubkey: <Holds the public key material>
- KEYDATA can be used anytime and the conversion into DSDATA is possible
RRP DSData Parameter:
- DNSSECDSDATA# = <keytag> <algorithm> <digestType> <digest>
- Keytag: 0 - 65535
- Algorithm: 2, 3, 4, 5, 6, 7, 8, 10, 12, 13, 14, 15, 16 http://tools.ietf.org/html/rfc4034#appendix-A.1
- DigestType: 1 (SHA-1), 2 (SHA-256), 3 (GOST R 34.11-94), 4 (SHA-384)
- Digest: <Holds the digest>
- DSDATA can be used as an alternative for all registries, which do not require KEYDATA
Commands
Here are some command examples that show how DNSSEC could be added or modified:
API
Command
command = AddDomain
domain = test-dnssec.org
ownercontact0 = P-JYC21
admincontact0 = P-JYC21
billingcontact0 = P-JYC21
techcontact0 = P-JYC21
dnssec0 = 256 3 8 AwEAAdDECajHaTjfSoNTY58WcBah1Bx
nameserver0 = ns-dev.domaindiscount24.netCommand
command = AddDomain
domain = test-dnssec.org
ownercontact0 = P-JYC21
admincontact0 = P-JYC21
billingcontact0 = P-JYC21
techcontact0 = P-JYC21
dnssecdsdata0 = 1325 12 2 AWEAADDECAJHATJFSONTY58WCBAH1BX+JHATJ
nameserver0 = ns.yourdomain.TLDStatusDomain
Command
command = StatusDomain
domain = test-dnssec.orgResponse
code = 200
description = Command completed successfully
...
property[dnssec][0] = 256 3 8 AwEAAdDECajHaTjfSoNTY58WcBah1BxModifyDomain
Command
command = ModifyDomain
domain = test-dnssec.org
deldnssec0 = 256 3 8 AwEAAdDECajHaTjfSoNTY58WcBah1Bx
adddnssec0 = 256 3 8 substituteResponse
code = 200
description = Command completed successfullyCommand
command = ModifyDomain
domain = test-dnssec.org
dnssec0 = 256 3 8 differentResponse
code = 200
description = Command completed successfullyNote
If only "dnssec0" or the alias "dnssec" is used, the values of "dnssec1" and "dnssec2" will be deleted. e.g.: Even if "dnssec0" and "dnssec1" are given, the "dnssec2" value will be deleted.
To remove the complete DNSSEC information use a ModifyDomain command with the parameter DNSSECDELALL, which will delete all entries at the registry:
Command
command = ModifyDomain
domain = test-dnssec.org
DNSSECDELALL = 1EPP
Example DS Data Interface and Key Data Interface ( rfc5910#section-4.3 ). Example use of the secDNS-1.1 DS Data Interface for a create:
<secDNS:dsData>
<secDNS:keyTag>12345</secDNS:keyTag>
<secDNS:alg>3</secDNS:alg>
<secDNS:digestType>1</secDNS:digestType>
<secDNS:digest>49FD46E6C4B45C55D4AC</secDNS:digest>
</secDNS:dsData>Example use of secDNS-1.1 DS Data Interface with option key data for a create:
<secDNS:dsData>
<secDNS:keyTag>12345</secDNS:keyTag>
<secDNS:alg>3</secDNS:alg>
<secDNS:digestType>1</secDNS:digestType>
<secDNS:digest>49FD46E6C4B45C55D4AC</secDNS:digest>
<secDNS:keyData>
<secDNS:flags>257</secDNS:flags>
<secDNS:protocol>3</secDNS:protocol>
<secDNS:alg>1</secDNS:alg>
<secDNS:pubKey>AQPJ////4Q==</secDNS:pubKey>
</secDNS:keyData>
</secDNS:dsData>Example use of the secDNS-1.1 Key Data Interface for a create:
<secDNS:keyData>
<secDNS:flags>257</secDNS:flags>
<secDNS:protocol>3</secDNS:protocol>
<secDNS:alg>1</secDNS:alg>
<secDNS:pubKey>AQPJ////4Q==</secDNS:pubKey>
</secDNS:keyData>Common errors
Please make sure that your pubkey does not contain any blanks/whitespaces.