DNSSEC stands for DNS Security Extensions, and it is designed to protect Internet resolvers (clients) from forged DNS in order to prevent DNS tampering. DNSSEC works by digitally signing the DNS records at the authoritative DNS server. By checking the digital signature, a DNS resolver knows whether the information it receives is identical (correct and complete) to the information on the authoritative DNS server. This attests to the validity of the address, and ensures that the site you visit is the one you intended to go to rather than a site where your personal information could be compromised. If the DNS cannot be authenticated, your browser won't display the site.
Your DNS provider supplies the DNSSEC values that you enter for your domains.
Note: OpenSRS does not do any DNSSEC validation; we simply pass the DNSSEC values on to the registry.
You cannot assign DNSSEC values to the domain at the time that you register it, but once the domain is registered, you can modify it and add the DNSSEC values. There is no charge for this service.
Allowed values
The following values can be obtained from the DNS provider for the domain.
Key Tag (key_tag) — An integer value less than 65536 that identifies the DNSSEC record for this domain name. Value cannot be more than 65535.
Algorithm (algorithm) — The cryptographic algorithm that generates the signature. Allowed values are:
- 2 Diffie-Hellman
- 3 DSA/SHA-1
- 5 RSA/SHA-1
- 6 DSA-NSEC3/SHA1
- 7 RSASHA1-NSEC3/SHA1
- 8 RSA/SHA-256
- 10 RSA/SHA-512
- 13 ECDSA Curve P-256 with SHA-256
- 14 ECDSA Curve P-384 with SHA-384
- 253 Private [PRIVATEDNS]
- 254 Private [PRIVATEOID]
Digest Type (digest_type) — The algorithm type that constructs the digest. Allowed values are:
- 1 SHA-1
- 2 SHA-256
- 3 GOST
- 4 SHA-384
Digest (digest) — The digest is an alpha-numeric string value. The length depends on the digest type used:
SHA-1: 40 characters
SHA-256 and GOST: 64 characters
SHA-384: 96 characters
Transfers in
For domains being transferred in, DS records will be maintained and carried over to OpenSRS.
Supported TLDs
DNSSEC can be managed by resellers and registrants for a growing list of TLDs. Please see the gTLD and ccTLD reference chart for specifics.
Example: Modify Domain
This performs the same function as Set DNSSEC Info. To delete a single record, send a Get Domain request, then send a Modify or Set request with the full array minus the one you want to remove.
Request:
<?xml version="1.0" encoding="UTF-8"?>
<OPS_envelope>
<header>
<version>0.9</version>
</header>
<body>
<data_block>
<dt_assoc>
<item key="protocol">XCP</item>
<item key="action">modify</item>
<item key="object">domain</item>
<item key="cookie">Ea179p52N7LUPJWl:867410:1973</item>
<item key="attributes">
<dt_assoc>
<item key="data">dnssec</item>
<item key="dnssec">
<dt_array>
<item key="0">
<dt_assoc>
<item key="algorithm">5</item>
<item key="key_tag">333</item>
<item key="digest_type">1</item>
<item
key="digest">da39a3ee5e6b4b0d3255bfef95601890afd80709</item>
</dt_assoc>
</item>
</dt_array>
</item>
</dt_assoc>
</item>
</dt_assoc>
</data_block>
</body>
</OPS_envelope>
Response:
<?xml version='1.0' encoding="UTF-8" standalone="no" ?>
<!DOCTYPE OPS_envelope SYSTEM "ops.dtd">
<OPS_envelope>
<header>
<version>0.9</version>
</header>
<body>
<data_block>
<dt_assoc>
<item key="protocol">XCP</item>
<item key="object">DOMAIN</item>
<item key="response_text">Command successful</item>
<item key="action">REPLY</item>
<item key="response_code">200</item>
<item key="is_success">1</item>
</dt_assoc>
</data_block>
</body>
</OPS_envelope>
Example: Get Domain
Request:
<?xml version="1.0" encoding="UTF-8"?>
<OPS_envelope>
<header>
<version>0.9</version>
</header>
<body>
<data_block>
<dt_assoc>
<item key="protocol">XCP</item>
<item key="action">get</item>
<item key="object">domain</item>
<item key="cookie">Ea179p52N7LUPJWl:867410:1973</item>
<item key="attributes">
<dt_assoc>
<item key="type">dnssec</item>
</dt_assoc>
</item>
</dt_assoc>
</data_block>
</body>
</OPS_envelope>
Response:
<?xml version='1.0' encoding="UTF-8" standalone="no" ?>
<!DOCTYPE OPS_envelope SYSTEM "ops.dtd">
<OPS_envelope>
<header>
<version>0.9</version>
</header>
<body>
<data_block>
<dt_assoc>
<item key="protocol">XCP</item>
<item key="object">DOMAIN</item>
<item key="response_text">Command successful</item>
<item key="action">REPLY</item>
<item key="attributes">
<dt_assoc>
<item key="dnssec">
<dt_array>
<item key="0">
<dt_assoc>
<item key="algorithm">5</item>
<item key="key_tag">333</item>
<item
key="digest">da39a3ee5e6b4b0d3255bfef95601890afd80709</item>
<item key="digest_type">1</item>
</dt_assoc>
</item>
</dt_array>
</item>
</dt_assoc>
</item>
<item key="response_code">200</item>
<item key="is_success">1</item>
</dt_assoc>
</data_block>
</body>
</OPS_envelope>
Example: Set DNSSEC Info
This performs the same function as Modify Domain. To delete a single record, send a Get Domain request, then send a Modify or Set request with the full array minus the one you want to remove.
Request:
<?xml version="1.0" encoding="UTF-8"?>
<OPS_envelope>
<header>
<version>0.9</version>
</header>
<body>
<data_block>
<dt_assoc>
<item key="protocol">XCP</item>
<item key="action">set_dnssec_info</item>
<item key="object">domain</item>
<item key="cookie">Ea179p52N7LUPJWl:867410:1973</item>
<item key="attributes">
<dt_assoc>
<item key="dnssec">
<dt_array>
<item key="0">
<dt_assoc>
<item key="algorithm">3</item>
<item key="key_tag">321</item>
<item key="digest_type">2</item>
<item
key="digest">3167e8c371b04da4936e4933358e861ab8dfff289f401eaaa2b9fd32f59e9358</item>
</dt_assoc>
</item>
</dt_array>
</item>
</dt_assoc>
</item>
</dt_assoc>
</data_block>
</body>
</OPS_envelope>
Response:
<?xml version='1.0' encoding="UTF-8" standalone="no" ?>
<!DOCTYPE OPS_envelope SYSTEM "ops.dtd">
<OPS_envelope>
<header>
<version>0.9</version>
</header>
<body>
<data_block>
<dt_assoc>
<item key="protocol">XCP</item>
<item key="object">DOMAIN</item>
<item key="response_text">Command successful</item>
<item key="action">REPLY</item>
<item key="response_code">200</item>
<item key="is_success">1</item>
</dt_assoc>
</data_block>
</body>
</OPS_envelope>
Example: Get User Info
4. Get User info
The response will now include if the domain supports dnssec or not
<item key="dnssec">1</item>
Here is a full response if you need it
<?xml version='1.0' encoding="UTF-8" standalone="no" ?>
<!DOCTYPE OPS_envelope SYSTEM "ops.dtd">
<OPS_envelope>
<header>
<version>0.9</version>
</header>
<body>
<data_block>
<dt_assoc>
<item key="protocol">XCP</item>
<item key="object">USERINFO</item>
<item key="response_text">Command Successful</item>
<item key="action">REPLY</item>
<item key="attributes">
<dt_assoc>
<item key="allowed_contacts">
<dt_array>
<item key="0">owner</item>
<item key="1">admin</item>
<item key="2">billing</item>
<item key="3">tech</item>
</dt_array>
</item>
<item key="domain_auth_info_rules">
<dt_array>
<item key="0">Must be 1 to 32 characters.</item>
<item key="1">Must contain at least one number, one letter and
one special character.</item>
</dt_array>
</item>
<item key="permission"></item>
<item key="domain_tld_data_fields">
<dt_array>
</dt_array>
</item>
<item key="expiredate">2017-05-14 16:54:39</item>
<item key="inaccuratewhois">0</item>
<item key="username">testing</item>
<item key="domain_auth_info_read_only">0</item>
<item key="domain_count">1</item>
<item key="domain">tucows-b0048fed2070a.com</item>
<item key="f_owner">1</item>
<item key="capabilities">
<dt_assoc>
<item key="forwarding_email">0</item>
<item key="domain_forwarding_management">0</item>
<item key="dns_management">0</item>
<item key="whois_privacy_state">1</item>
<item key="domain_lock">1</item>
<item key="domain_auth_info">1</item>
<item key="dnssec">1</item>
<item key="change_ips_tag">0</item>
</dt_assoc>
</item>
<item key="waiting_request">None</item>
<item key="waiting_requests_no">0</item>
<item key="trade_required">0</item>
</dt_assoc>
</item>
<item key="response_code">200</item>
<item key="is_success">1</item>
</dt_assoc>
</data_block>
</body>
</OPS_envelope>
Example: Removing ALL DNSSEC entries from a domain
Example:
<?xml version="1.0" encoding="UTF-8"?>
<OPS_envelope>
<header>
<version>0.9</version>
</header>
<body>
<data_block>
<dt_assoc>
<item key="protocol">XCP</item>
<item key="action">set_dnssec_info</item>
<item key="object">domain</item>
<item key="cookie">xUuzW6thjLuzFO54:868926:22832</item>
<item key="attributes">
<dt_assoc>
<item key="dnssec">
<dt_array/>
</item>
</dt_assoc>
</item>
</dt_assoc>
</data_block>
</body>
</OPS_envelope>
0 Comments