What data should I provide to Openprovider to enable DNSSEC management if the zone is hosted on a custom nameserver?
The DNSSEC feature for domains pointed to custom nameservers allows to add and manage your DS records.
To add a record, one needs to enable DNSSEC first.
Log into your RCP account, select Domain overview on the left and click on the Edit domain data button for the specified domain.
Once you click Use DNSSEC button, the menu to manage your DS records will appear. To add a new record, fill in the corresponding fields with necessary information:
In RCP each DS record consists of three fields: Key type, Algorithm and Public key.
There are two types of keys that are used by DNSSEC:
- The zone signing key (ZSK) - is used to sign and validate the individual record sets within the zone.
- The key signing key (KSK) - is used to sign the DNSKEY records in the zone.
Both of these keys are stored as "DNSKEY" records in the zone file. These values are received from the DNS/hosting provider that hosts your domain zone. If you are not sure where to get the records, please contact your hosting/DNS provider.
Each DS record consists of four fields: KeyTag, Algorithm, DigestType and Digest.
Algorithm and Digest type are combined in one field called Algorithm. And Digest is referred as Public key.
A DS record has the following format:
openprovider.com. 86399 IN DS 48931 8 2 990542A41A167C0670AF1071A96E7820959E0E4A4BD15B8304BBC320 240B2F3A
- openprovider.com. - domain name that the DS is for
- 86399 - TTL, the time that the record may remain in cache
- IN stands for internet
- 48931 - Key Tag, the key’s ID
- 8 - algorithm type. Each allowed algorithm in DNSSEC has a specified number. Algorithm 8 is
- RSA/SHA-256 and RSA/SHA-512.
- 2 - Digest Type, or the hash function that was used to generate the digest from the public key
- The string at the end is the Digest, or the hash of the public key
Once the needed records are added, click on Save changes at the bottom of the page.