DNSSEC

The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

Required parameters

RRP KeyData Parameter:

DNSSEC# = <flags> <protocol> <algorithm> <pubkey>
Flags: 256,257
Protocol: 3 (DNSSEC)
Algorithm: 2,3,4,5,6,7,8,10,12,13,14 http://tools.ietf.org/html/rfc4034#appendix-A.1
Pubkey: <Holds the public key material>
KEYDATA can be used anytime and the conversion into DSDATA is possible

RRP DSData Parameter:

DNSSECDSDATA# = <keytag> <algorithm> <digestType> <digest>
Keytag: 0 – 65535
Algorithm: 2,3,4,5,6,7,8,10,12,13,14 http://tools.ietf.org/html/rfc4034#appendix-A.1
DigestType: 1 (SHA-1), 2 (SHA-256), 3 (GOST R 34.11-94), 4 (SHA-384)
Digest: <Holds the digest>
DSDATA can be used as an alternative for all registries, which do not require KEYDATA

Commands

Here are some examples commands how DNSSEC could be added or modified:

API

Command

command         = AddDomain
domain          = test-dnssec.org
ownercontact0   = P-JYC21
admincontact0   = P-JYC21
billingcontact0 = P-JYC21
techcontact0    = P-JYC21
dnssec0         = 256 3 8 AwEAAdDECajHaTjfSoNTY58WcBah1Bx
nameserver0     = ns-dev.domaindiscount24.net

StatusDomain

Command

command             = StatusDomain
domain              = test-dnssec.org

Response

code                = 200
description         = Command completed successfully
...                 
property[dnssec][0] = 256 3 8 AwEAAdDECajHaTjfSoNTY58WcBah1Bx

ModifyDomain

Command

command     = ModifyDomain
domain      = test-dnssec.org
deldnssec0  = 256 3 8 AwEAAdDECajHaTjfSoNTY58WcBah1Bx
adddnssec0  = 256 3 8 substitute

Response

code        = 200
description = Command completed successfully

Command

command     = ModifyDomain
domain      = test-dnssec.org
dnssec0     = 256 3 8 different

Response

code        = 200
description = Command completed successfully

Note

If only "dnssec0" or the alias "dnssec" is used, the values of "dnssec1" and "dnssec2" will be deleted. e.g.: Even if "dnssec0" and "dnssec1" are given, the "dnssec2" value will be deleted.

To remove the complete DNSSEC information use a ModifyDomain command with the parameter DNSSECDELALL, which will delete all entries at the registry:

Command

command      = ModifyDomain
domain       = test-dnssec.org
DNSSECDELALL = 1

EPP

Example DS Data Interface and Key Data Interface ( rfc5910#section-4.3 ). Example use of the secDNS-1.1 DS Data Interface for a create:

  <secDNS:dsData>
    <secDNS:keyTag>12345</secDNS:keyTag>
    <secDNS:alg>3</secDNS:alg>
    <secDNS:digestType>1</secDNS:digestType>
    <secDNS:digest>49FD46E6C4B45C55D4AC</secDNS:digest>
  </secDNS:dsData>

Example use of secDNS-1.1 DS Data Interface with option key data for a create:

  <secDNS:dsData>
    <secDNS:keyTag>12345</secDNS:keyTag>
    <secDNS:alg>3</secDNS:alg>
    <secDNS:digestType>1</secDNS:digestType>
    <secDNS:digest>49FD46E6C4B45C55D4AC</secDNS:digest>
    <secDNS:keyData>
      <secDNS:flags>257</secDNS:flags>
      <secDNS:protocol>3</secDNS:protocol>
      <secDNS:alg>1</secDNS:alg>
      <secDNS:pubKey>AQPJ////4Q==</secDNS:pubKey>
    </secDNS:keyData>
   </secDNS:dsData>

Example use of the secDNS-1.1 Key Data Interface for a create:

   <secDNS:keyData>
     <secDNS:flags>257</secDNS:flags>
     <secDNS:protocol>3</secDNS:protocol>
     <secDNS:alg>1</secDNS:alg>
     <secDNS:pubKey>AQPJ////4Q==</secDNS:pubKey>
   </secDNS:keyData>

Common errors

Please make sure that your pubkey does not contain any blanks/whitespaces.