Configure DNSSEC in the API

 

DNSSEC stands for DNS Security Extensions, and it is designed to protect Internet resolvers (clients) from forged DNS in order to prevent DNS tampering. DNSSEC works by digitally signing the DNS records at the authoritative DNS server. By checking the digital signature, a DNS resolver knows whether the information it receives is identical (correct and complete) to the information on the authoritative DNS server. This attests to the validity of the address, and ensures that the site you visit is the one you intended to go to rather than a site where your personal information could be compromised. If the DNS cannot be authenticated, your browser won't display the site.

Your DNS provider supplies the DNSSEC values that you enter for your domains.

Note: OpenSRS does not do any DNSSEC validation; we simply pass the DNSSEC values on to the registry.

You cannot assign DNSSEC values to the domain at the time that you register it, but once the domain is registered, you can modify it and add the DNSSEC values.  There is no charge for this service.

The following values can be obtained from the DNS provider for the domain.

Key Tag (key_tag) — An integer value less than 65536 that identifies the DNSSEC record for this domain name.  Value cannot be more than 65535.

Algorithm (algorithm) — The cryptographic algorithm that generates the signature. Allowed values are:

• 2    Diffie-Hellman
• 3    DSA/SHA-1
• 5    RSA/SHA-1
• 6    DSA-NSEC3/SHA1
• 7    RSASHA1-NSEC3/SHA1
• 8    RSA/SHA-256
• 10  RSA/SHA-512
• 13  ECDSA Curve P-256 with SHA-256
• 14  ECDSA Curve P-384 with SHA-384
• 253    Private [PRIVATEDNS]
• 254    Private [PRIVATEOID]

Digest Type (digest_type) — The algorithm type that constructs the digest.  Allowed values are:

• 1    SHA-1
• 2    SHA-256
• 3    GOST
• 4    SHA-384

Digest (digest) — The digest is an alpha-numeric string value.  The length depends on the digest type used:

SHA-1: 40 characters

SHA-256 and GOST: 64 characters

SHA-384: 96 characters

For domains being transferred in, DS records will be maintained and carried over to OpenSRS.

DNSSEC can be managed by resellers and registrants for a growing list of TLDs.  Please see the gTLD and ccTLD reference chart for specifics.

This performs the same function as Set DNSSEC Info.  To delete a single record, send a Get Domain request, then send a Modify or Set request with the full array minus the one you want to remove.

Request:

<?xml version="1.0" encoding="UTF-8"?>

<OPS_envelope>

  <header>

    <version>0.9</version>

  </header>

  <body>

    <data_block>

      <dt_assoc>

        <item key="protocol">XCP</item>

        <item key="action">modify</item>

        <item key="object">domain</item>

        <item key="cookie">Ea179p52N7LUPJWl:867410:1973</item>

        <item key="attributes">

          <dt_assoc>

            <item key="data">dnssec</item>

            <item key="dnssec">

              <dt_array>

                <item key="0">

                  <dt_assoc>

                    <item key="algorithm">5</item>

                    <item key="key_tag">333</item>

                    <item key="digest_type">1</item>

                    <item

key="digest">da39a3ee5e6b4b0d3255bfef95601890afd80709</item>

                  </dt_assoc>

                </item>

              </dt_array>

            </item>

          </dt_assoc>

        </item>

      </dt_assoc>

    </data_block>

  </body>

</OPS_envelope>

 

Response:

<?xml version='1.0' encoding="UTF-8" standalone="no" ?>

<!DOCTYPE OPS_envelope SYSTEM "ops.dtd">

<OPS_envelope>

 <header>

  <version>0.9</version>

  </header>

 <body>

  <data_block>

   <dt_assoc>

    <item key="protocol">XCP</item>

    <item key="object">DOMAIN</item>

    <item key="response_text">Command successful</item>

    <item key="action">REPLY</item>

    <item key="response_code">200</item>

    <item key="is_success">1</item>

   </dt_assoc>

  </data_block>

 </body>

</OPS_envelope>

Request:

<?xml version="1.0" encoding="UTF-8"?>

<OPS_envelope>

  <header>

    <version>0.9</version>

  </header>

  <body>

    <data_block>

      <dt_assoc>

        <item key="protocol">XCP</item>

        <item key="action">get</item>

        <item key="object">domain</item>

        <item key="cookie">Ea179p52N7LUPJWl:867410:1973</item>

        <item key="attributes">

          <dt_assoc>

            <item key="type">dnssec</item>

          </dt_assoc>

        </item>

      </dt_assoc>

    </data_block>

  </body>

</OPS_envelope>

 

Response:

<?xml version='1.0' encoding="UTF-8" standalone="no" ?>

<!DOCTYPE OPS_envelope SYSTEM "ops.dtd">

<OPS_envelope>

 <header>

  <version>0.9</version>

  </header>

 <body>

  <data_block>

   <dt_assoc>

    <item key="protocol">XCP</item>

    <item key="object">DOMAIN</item>

    <item key="response_text">Command successful</item>

    <item key="action">REPLY</item>

    <item key="attributes">

     <dt_assoc>

      <item key="dnssec">

       <dt_array>

        <item key="0">

         <dt_assoc>

          <item key="algorithm">5</item>

          <item key="key_tag">333</item>

          <item

key="digest">da39a3ee5e6b4b0d3255bfef95601890afd80709</item>

          <item key="digest_type">1</item>

         </dt_assoc>

        </item>

       </dt_array>

      </item>

     </dt_assoc>

    </item>

    <item key="response_code">200</item>

    <item key="is_success">1</item>

   </dt_assoc>

  </data_block>

 </body>

</OPS_envelope>

This performs the same function as Modify Domain. To delete a single record, send a Get Domain request, then send a Modify or Set request with the full array minus the one you want to remove.

Request:

<?xml version="1.0" encoding="UTF-8"?>

<OPS_envelope>

  <header>

    <version>0.9</version>

  </header>

  <body>

    <data_block>

      <dt_assoc>

        <item key="protocol">XCP</item>

        <item key="action">set_dnssec_info</item>

        <item key="object">domain</item>

        <item key="cookie">Ea179p52N7LUPJWl:867410:1973</item>

        <item key="attributes">

          <dt_assoc>

            <item key="dnssec">

              <dt_array>

                <item key="0">

                  <dt_assoc>

                    <item key="algorithm">3</item>

                    <item key="key_tag">321</item>

                    <item key="digest_type">2</item>

                    <item

key="digest">3167e8c371b04da4936e4933358e861ab8dfff289f401eaaa2b9fd32f59e9358</item>

                  </dt_assoc>

                </item>

              </dt_array>

            </item>

          </dt_assoc>

        </item>

      </dt_assoc>

    </data_block>

  </body>

</OPS_envelope>

 

Response:

<?xml version='1.0' encoding="UTF-8" standalone="no" ?>

<!DOCTYPE OPS_envelope SYSTEM "ops.dtd">

<OPS_envelope>

 <header>

  <version>0.9</version>

  </header>

 <body>

  <data_block>

   <dt_assoc>

    <item key="protocol">XCP</item>

    <item key="object">DOMAIN</item>

    <item key="response_text">Command successful</item>

    <item key="action">REPLY</item>

    <item key="response_code">200</item>

    <item key="is_success">1</item>

   </dt_assoc>

  </data_block>

 </body>

</OPS_envelope>

4. Get User info

The response will now include if the domain supports dnssec or not

<item key="dnssec">1</item>

Here is a full response if you need it

 

<?xml version='1.0' encoding="UTF-8" standalone="no" ?>

<!DOCTYPE OPS_envelope SYSTEM "ops.dtd">

<OPS_envelope>

 <header>

  <version>0.9</version>

  </header>

 <body>

  <data_block>

   <dt_assoc>

    <item key="protocol">XCP</item>

    <item key="object">USERINFO</item>

    <item key="response_text">Command Successful</item>

    <item key="action">REPLY</item>

    <item key="attributes">

     <dt_assoc>

      <item key="allowed_contacts">

       <dt_array>

        <item key="0">owner</item>

        <item key="1">admin</item>

        <item key="2">billing</item>

        <item key="3">tech</item>

       </dt_array>

      </item>

      <item key="domain_auth_info_rules">

       <dt_array>

        <item key="0">Must be 1 to 32 characters.</item>

        <item key="1">Must contain at least one number, one letter and

one special character.</item>

       </dt_array>

      </item>

      <item key="permission"></item>

      <item key="domain_tld_data_fields">

       <dt_array>

       </dt_array>

      </item>

      <item key="expiredate">2017-05-14 16:54:39</item>

      <item key="inaccuratewhois">0</item>

      <item key="username">testing</item>

      <item key="domain_auth_info_read_only">0</item>

      <item key="domain_count">1</item>

      <item key="domain">tucows-b0048fed2070a.com</item>

      <item key="f_owner">1</item>

      <item key="capabilities">

       <dt_assoc>

        <item key="forwarding_email">0</item>

        <item key="domain_forwarding_management">0</item>

        <item key="dns_management">0</item>

        <item key="whois_privacy_state">1</item>

        <item key="domain_lock">1</item>

        <item key="domain_auth_info">1</item>

        <item key="dnssec">1</item>

        <item key="change_ips_tag">0</item>

       </dt_assoc>

      </item>

      <item key="waiting_request">None</item>

      <item key="waiting_requests_no">0</item>

      <item key="trade_required">0</item>

     </dt_assoc>

    </item>

    <item key="response_code">200</item>

    <item key="is_success">1</item>

   </dt_assoc>

  </data_block>

 </body>

</OPS_envelope>

Example:

<?xml version="1.0" encoding="UTF-8"?>

<OPS_envelope>

 <header>

   <version>0.9</version>

 </header>

 <body>

   <data_block>

     <dt_assoc>

       <item key="protocol">XCP</item>

       <item key="action">set_dnssec_info</item>

       <item key="object">domain</item>

       <item key="cookie">xUuzW6thjLuzFO54:868926:22832</item>

       <item key="attributes">

         <dt_assoc>

           <item key="dnssec">

             <dt_array/>

           </item>

         </dt_assoc>

       </item>

     </dt_assoc>

   </data_block>

 </body>

</OPS_envelope>