Managing DS records for DNSSEC
This document explains how to use our systems for managing DS records for DNSSEC
EPP
DS records may be added to domain names using the <domain:create> and <domain:update> operations. DS records for a domain name may be queried using the <domain:info> operation.
Schema support for DNSSEC
Our support for DNSSEC in Standard EPP uses the standard secDNS-1.1.xsd schema for the addition and removal of all DS records and also for the responses to <domain:info> operations.
Our support for the secDNS-1.1 schema has the following constraints:
- The optional Maximum Signature Lifetime (maxSigLife) element is not supported
- We only support the DS Data Interface – we do not support the Key Data Interface
- We do not support the optional “urgent” attribute in the <secDNS:update> element
- A maximum of eight DS records is allowed for each domain
Any request which breaks these constraints will fail and the error message received will contain an automaton error code which indicates the reason for the failure.
Documentation for the secDNS schema can be found in RFC 5910 and details of the DS record fields are described in RFC 4034.
The secDNS-1.1 schema can be used in combination with the Standard EPP schemas already supported by Nominet. However, if any of the Nominet optional extensions to Standard EPP are used then the most recent schema set must be used (at least 1.0.2).
EPP Operations
<domain:create>
When a domain is created up to 8 DS Records can also be specified for the domain by using a <secDNS:create> element with one or more <secDNS:dsData> elements from the secDNS-1.1 extension schema. If more than 8 DS records are specified then the request will fail.
<domain:update>
The <domain:update> operation can be used to add or remove DS records for an existing domain by specifying a <secDNS:update> element.
A maximum of 8 DS records can be specified for removal or addition within the <secDNS:update> element – if more than 8 records are added or removed then the update will fail. The update will also fail if the result of adding new DS records to the domain would be that more than 8 DS records are associated with the domain.
<domain:info>
If the secDNS schema is used when logging in to EPP and the domain has DS records, then the response from the info command will include information about the DS records which are on the domain.
If the secDNS schema was not specified when logging in to EPP then no information about DS records will be included in the response.
<r:release>
When the release operation is used to move a domain name with DS records onto another tag the EPP system will check to see if the receiving tag supports DNSSEC.
If the receiving tag supports DNSSEC then the DS records for the domain will not be altered. However, if the receiving tag does not support DNSSEC then any DS records will be removed from the domain.
Contents of the <secDNS:dsData> element
When creating or changing DS records for a domain the following fields must be set in the <secDNS:dsData> element for each DS record:
- keyTag: The Key Tag value for the DS record (as described in Section 5.1.1 of RFC 4034)
- alg: The Algorithm number used in the DS record
- digestType: The Digest Type – this identifies the algorithm used to construct the Digest field for the DS record
- digest: The Digest for the DS record
These fields are described in more detail in RFC 4034. Full details of the DNSSEC algorithm and digest types supported by Nominet are described here.
If the information supplied for a DS record is incomplete or invalid then the operation to create or update the domain will fail and the error message will contain an automaton error code which indicates the reason for the failure.
Example requests and responses
<domain:create>
Example request to create a domain on an existing account with the following DS Records:
- Key-Tag: 101, Algorithm: 5, Digest-Type: 1, Digest: 38EC35D5B3A34B44C39B38EC35D5B3A34B44C39B
- Key-Tag: 102, Algorithm: 5, Digest-Type: 2, Digest: D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <epp xmlns="urn:ietf:params:xml:ns:epp-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd"> <command> <create> <domain:create xmlns:domain="urn:ietf:params:xml:ns:domain-1.0" xsi:schemaLocation="urn:ietf:params:xml:ns:domain-1.0 domain-1.0.xsd"> <domain:name>epp-example.co.uk</domain:name> <domain:registrant>5558B07C241A072</domain:registrant> <domain:authInfo> <domain:pw/> </domain:authInfo> </domain:create> </create> <extension> <secDNS:create xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1" xsi:schemaLocation="urn:ietf:params:xml:ns:secDNS-1.1 secDNS-1.1.xsd"> <secDNS:dsData> <secDNS:keyTag>101</secDNS:keyTag> <secDNS:alg>5</secDNS:alg> <secDNS:digestType>1</secDNS:digestType> <secDNS:digest>38EC35D5B3A34B44C39B38EC35D5B3A34B44C39B</secDNS:digest> </secDNS:dsData> <secDNS:dsData> <secDNS:keyTag>102</secDNS:keyTag> <secDNS:alg>5</secDNS:alg> <secDNS:digestType>2</secDNS:digestType> <secDNS:digest>D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A</secDNS:digest> </secDNS:dsData> </secDNS:create> </extension> <clTRID>ABC-12345</clTRID> </command> </epp>
<domain:update>
Example request to remove one existing DS record and add 2 new DS records:
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <epp xmlns="urn:ietf:params:xml:ns:epp-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd"> <command> <update> <domain:update xmlns:domain="urn:ietf:params:xml:ns:domain-1.0" xsi:schemaLocation="urn:ietf:params:xml:ns:domain-1.0 domain-1.0.xsd"> <domain:name>epp-example.co.uk</domain:name> </domain:update> </update> <extension> <secDNS:update xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1" xsi:schemaLocation="urn:ietf:params:xml:ns:secDNS-1.1 secDNS-1.1.xsd"> <secDNS:rem> <secDNS:dsData> <secDNS:keyTag>123</secDNS:keyTag> <secDNS:alg>5</secDNS:alg> <secDNS:digestType>1</secDNS:digestType> <secDNS:digest>ABCDABCDABCDABCDABCDABCDABCDABCDABCDABCD</secDNS:digest> </secDNS:dsData> </secDNS:rem> <secDNS:add> <secDNS:dsData> <secDNS:keyTag>12345</secDNS:keyTag> <!-- RSA/SHA-1 --> <secDNS:alg>5</secDNS:alg> <!-- SHA-1 --> <secDNS:digestType>1</secDNS:digestType> <secDNS:digest>38EC35D5B3A34B44C39B38EC35D5B3A34B44C39B</secDNS:digest> </secDNS:dsData> <secDNS:dsData> <secDNS:keyTag>12346</secDNS:keyTag> <secDNS:alg>5</secDNS:alg> <secDNS:digestType>1</secDNS:digestType> <secDNS:digest>38EC35D5B3A34B44C39B38EC35D5B3A34B44C39B</secDNS:digest> </secDNS:dsData> </secDNS:add> </secDNS:update> </extension> <clTRID>ABC-12345</clTRID> </command> </epp>
<domain:info>
Example response for a domain with 2 DS records:
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <epp xmlns="urn:ietf:params:xml:ns:epp-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/epp-1.0 epp-1.0.xsd"> <response> <result code="1000"> <msg>Command completed successfully</msg> </result> <resData> <domain:infData xmlns:domain="urn:ietf:params:xml:ns:domain-1.0" xsi:schemaLocation="urn:ietf:params:xml:ns:domain-1.0 domain-1.0.xsd"> <domain:name>epp-example.co.uk</domain:name> <domain:roid>109098-UK</domain:roid> <domain:registrant>9EB07F275D8F1BD</domain:registrant> <domain:ns> <domain:hostObj>ns0.epp-example.co.uk</domain:hostObj> </domain:ns> <domain:clID>EPP-EXAMPLE</domain:clID> <domain:crID>[email protected]</domain:crID> <domain:crDate>2010-01-19T09:01:38</domain:crDate> <domain:exDate>2012-01-19T09:01:38</domain:exDate> </domain:infData> </resData> <extension> <secDNS:infData xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1" xsi:schemaLocation="urn:ietf:params:xml:ns:secDNS-1.1 secDNS-1.1.xsd"> <secDNS:dsData> <secDNS:keyTag>123</secDNS:keyTag> <secDNS:alg>5</secDNS:alg> <secDNS:digestType>1</secDNS:digestType> <secDNS:digest>0123456789ABCDEF0123456789ABCDEF12345678</secDNS:digest> </secDNS:dsData> </secDNS:infData> <secDNS:infData xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1" xsi:schemaLocation="urn:ietf:params:xml:ns:secDNS-1.1 secDNS-1.1.xsd"> <secDNS:dsData> <secDNS:keyTag>124</secDNS:keyTag> <secDNS:alg>2</secDNS:alg> <secDNS:digestType>2</secDNS:digestType> <secDNS:digest>ABCD1234ABCD12345678ABCD1234ABCD1234567801234567890123456789ABCD</secDNS:digest> </secDNS:dsData> </secDNS:infData> </extension> <trID> <clTRID>EPP-XYZ-99900</clTRID> <svTRID>122454</svTRID> </trID> </response> </epp>
<domain:info>
From the 5th April, a domain:info response will be structured as below:
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <epp xmlns="urn:ietf:params:xml:ns:epp-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/epp-1.0 epp-1.0.xsd"> <response> <result code="1000"> <msg>Command completed successfully</msg> </result> <resData> <domain:infData xmlns:domain="urn:ietf:params:xml:ns:domain-1.0" xsi:schemaLocation="urn:ietf:params:xml:ns:domain-1.0 domain-1.0.xsd"> <domain:name>epp-example.co.uk</domain:name> <domain:roid>109098-UK</domain:roid> <domain:registrant>9EB07F275D8F1BD</domain:registrant> <domain:ns> <domain:hostObj>ns0.epp-example.co.uk</domain:hostObj> </domain:ns> <domain:clID>EPP-EXAMPLE</domain:clID> <domain:crID>[email protected]</domain:crID> <domain:crDate>2010-01-19T09:01:38</domain:crDate> <domain:exDate>2012-01-19T09:01:38</domain:exDate> </domain:infData> </resData> <extension> <secDNS:infData xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1" xsi:schemaLocation="urn:ietf:params:xml:ns:secDNS-1.1 secDNS-1.1.xsd"> <secDNS:dsData> <secDNS:keyTag>123</secDNS:keyTag> <secDNS:alg>5</secDNS:alg> <secDNS:digestType>1</secDNS:digestType> <secDNS:digest>0123456789ABCDEF0123456789ABCDEF12345678</secDNS:digest> </secDNS:dsData> <secDNS:dsData> <secDNS:keyTag>124</secDNS:keyTag> <secDNS:alg>2</secDNS:alg> <secDNS:digestType>2</secDNS:digestType> <secDNS:digest>ABCD1234ABCD12345678ABCD1234ABCD1234567801234567890123456789ABCD</secDNS:digest> </secDNS:dsData> </secDNS:infData> </extension> <trID> <clTRID>EPP-XYZ-99900</clTRID> <svTRID>122454</svTRID> </trID> </response> </epp>
Web Domain Manager
Web domain manager can be used to add and remove DS records for domain names in the parent zone file.
Adding and removing DS records
From the domain list in web domain manager, click on a domain name – a summary of the domain name’s details will be shown. DS records will be listed immediately after the list of nameservers for the domain. If there are currently no DS records for the domain, an ‘Add DS record’ link will be available. If DS records have already been added then the link will be ‘Add/remove DS records’.
Click the appropriate link to add or change DS records. Below the list of existing DS records there is a text field for new DS records. Text for DS records should be of the form:
<key tag> <algorithm> <digest type> <digest>
For example: 5498 5 1 FAA0119283234239872398723498234987ABD001
Creating new DNSSEC enabled domain names
It is not currently possible to add a new domain name with DS records attached at the time of creation. The new domain name should be created as usual, then edited to add the DS record as above.
Minerva House, Edmund Halley Road, Oxford Science Park, OX4 4DQ, United Kingdom