The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.
DNSSEC
Required parameters
RRP KeyData Parameter:
- DNSSEC# = <flags> <protocol> <algorithm> <pubkey>
- Flags: 256, 257
- Protocol: 3 (DNSSEC)
- Algorithm: 2, 3, 4, 5, 6, 7, 8, 10, 12, 13, 14, 15, 16 http://tools.ietf.org/html/rfc4034#appendix-A.1
- Pubkey: <Holds the public key material>
- KEYDATA can be used anytime and the conversion into DSDATA is possible
RRP DSData Parameter:
- DNSSECDSDATA# = <keytag> <algorithm> <digestType> <digest>
- Keytag: 0 - 65535
- Algorithm: 2, 3, 4, 5, 6, 7, 8, 10, 12, 13, 14, 15, 16 http://tools.ietf.org/html/rfc4034#appendix-A.1
- DigestType: 1 (SHA-1), 2 (SHA-256), 3 (GOST R 34.11-94), 4 (SHA-384)
- Digest: <Holds the digest>
- DSDATA can be used as an alternative for all registries, which do not require KEYDATA
Commands
Here are some command examples that show how DNSSEC could be added or modified:
API
Command
command = AddDomain
domain = test-dnssec.org
ownercontact0 = P-JYC21
admincontact0 = P-JYC21
billingcontact0 = P-JYC21
techcontact0 = P-JYC21
dnssec0 = 256 3 8 AwEAAdDECajHaTjfSoNTY58WcBah1Bx
nameserver0 = ns-dev.domaindiscount24.net
Command
command = AddDomain
domain = test-dnssec.org
ownercontact0 = P-JYC21
admincontact0 = P-JYC21
billingcontact0 = P-JYC21
techcontact0 = P-JYC21
dnssecdsdata0 = 1325 12 2 AWEAADDECAJHATJFSONTY58WCBAH1BX+JHATJ
nameserver0 = ns.yourdomain.TLD
StatusDomain
Command
command = StatusDomain
domain = test-dnssec.org
Response
code = 200
description = Command completed successfully
...
property[dnssec][0] = 256 3 8 AwEAAdDECajHaTjfSoNTY58WcBah1Bx
ModifyDomain
Command
command = ModifyDomain
domain = test-dnssec.org
deldnssec0 = 256 3 8 AwEAAdDECajHaTjfSoNTY58WcBah1Bx
adddnssec0 = 256 3 8 substitute
Response
code = 200
description = Command completed successfully
Command
command = ModifyDomain
domain = test-dnssec.org
dnssec0 = 256 3 8 different
Response
code = 200
description = Command completed successfully
If only "dnssec0" or the alias "dnssec" is used, the values of "dnssec1" and "dnssec2" will be deleted. e.g.: Even if "dnssec0" and "dnssec1" are given, the "dnssec2" value will be deleted.
To remove the complete DNSSEC information use a ModifyDomain command with the parameter DNSSECDELALL, which will delete all entries at the registry:
Command
command = ModifyDomain
domain = test-dnssec.org
DNSSECDELALL = 1
EPP
Example DS Data Interface and Key Data Interface ( rfc5910#section-4.3 ). Example use of the secDNS-1.1 DS Data Interface for a create:
<secDNS:dsData>
<secDNS:keyTag>12345</secDNS:keyTag>
<secDNS:alg>3</secDNS:alg>
<secDNS:digestType>1</secDNS:digestType>
<secDNS:digest>49FD46E6C4B45C55D4AC</secDNS:digest>
</secDNS:dsData>
Example use of secDNS-1.1 DS Data Interface with option key data for a create:
<secDNS:dsData>
<secDNS:keyTag>12345</secDNS:keyTag>
<secDNS:alg>3</secDNS:alg>
<secDNS:digestType>1</secDNS:digestType>
<secDNS:digest>49FD46E6C4B45C55D4AC</secDNS:digest>
<secDNS:keyData>
<secDNS:flags>257</secDNS:flags>
<secDNS:protocol>3</secDNS:protocol>
<secDNS:alg>1</secDNS:alg>
<secDNS:pubKey>AQPJ////4Q==</secDNS:pubKey>
</secDNS:keyData>
</secDNS:dsData>
Example use of the secDNS-1.1 Key Data Interface for a create:
<secDNS:keyData>
<secDNS:flags>257</secDNS:flags>
<secDNS:protocol>3</secDNS:protocol>
<secDNS:alg>1</secDNS:alg>
<secDNS:pubKey>AQPJ////4Q==</secDNS:pubKey>
</secDNS:keyData>
Please make sure that your pubkey does not contain any blanks/whitespaces.