From HEXONET Wiki
(→Key Data Interface) |
|||
(9 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
− | {{Sidebar}} | + | {{Sidebar}}__NOTOC__ |
− | __NOTOC__ | + | |
− | + | ||
== DNSSEC (SecureDNS) == | == DNSSEC (SecureDNS) == | ||
Line 10: | Line 8: | ||
− | We made sure to create our API | + | We made sure to create our API to be compatible with all current and future DNSSEC enabled registry systems. |
Similar to the handling of contacts and nameservers, two (2) different ways exist for a registry to manage DNSSEC data for delegations: | Similar to the handling of contacts and nameservers, two (2) different ways exist for a registry to manage DNSSEC data for delegations: | ||
Line 19: | Line 17: | ||
The HEXONET API supports both types. | The HEXONET API supports both types. | ||
− | Further, beyond just the required type, we have set up our system to also accept both DS and KEY data simultaneously for any TLD, so that anyone | + | Further, beyond just the required type, we have set up our system to also accept both DS and KEY data simultaneously for any TLD, so that anyone can simply submit both instead of having to determine which one is required for each TLD. |
Line 28: | Line 26: | ||
== Supported TLDs == | == Supported TLDs == | ||
− | + | If DNSSEC is supported for HEXONET TLD´s, please see the respective SEC DNS column in the domain-detail view. | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
== General parameters == | == General parameters == | ||
− | + | <pre>secDNS-remove-all = 0 | 1 (ModifyDomain)</pre> | |
This parameter is used to remove all DNSSEC records (DS and key data), if set to 1. A value of 0 will do nothing. | This parameter is used to remove all DNSSEC records (DS and key data), if set to 1. A value of 0 will do nothing. | ||
− | + | <pre>secDNS-maxSigLife = <INT> (AddDomain/ModifyDomain)</pre> | |
An OPTIONAL parameter setting the preference for the number of seconds after signature generation. When the parent's signature on the DS information provided by the child will expire. There is ONLY ONE maxSigLife per domain. The use of this parameter depends on the registry operator, many TLDs will silently ignore it. | An OPTIONAL parameter setting the preference for the number of seconds after signature generation. When the parent's signature on the DS information provided by the child will expire. There is ONLY ONE maxSigLife per domain. The use of this parameter depends on the registry operator, many TLDs will silently ignore it. | ||
− | + | <pre>secDNS-urgent = 0 | 1 (ModifyDomain)</pre> | |
This parameter is used to ask the server operator to complete and implement the update request with high priority. The use of this flag depends on the registry operator, many TLDs will silently ignore it. | This parameter is used to ask the server operator to complete and implement the update request with high priority. The use of this flag depends on the registry operator, many TLDs will silently ignore it. | ||
− | |||
== DS Data Interface == | == DS Data Interface == | ||
− | + | <pre>secDNS-ds# = <keyTag> <alg> <digestType> <digest> (AddDomain/ModifyDomain)</pre> | |
− | + | <pre>addsecDNS-ds# = <keyTag> <alg> <digestType> <digest> (ModifyDomain)</pre> | |
− | + | <pre>delsecDNS-ds# = <keyTag> <alg> <digestType> <digest> (ModifyDomain)</pre> | |
The order of these whitespace-separated parameters matches the DNS DS record type. | The order of these whitespace-separated parameters matches the DNS DS record type. | ||
− | + | <pre>secDNS-ds keyTag = <INT></pre> | |
A parameter that contains a key tag value as described in Section 5.1.1 of RFC 4034. | A parameter that contains a key tag value as described in Section 5.1.1 of RFC 4034. | ||
Line 75: | Line 60: | ||
− | + | <pre>secDNS-ds alg = <INT></pre> | |
A parameter that contains an algorithm value as described in Section 5.1.2 of RFC 4034. | A parameter that contains an algorithm value as described in Section 5.1.2 of RFC 4034. | ||
− | + | <pre>secDNS-ds digestType = <INT></pre> | |
− | A parameter that contains a digest type value as described in Section 5.1.3 of RFC 4034. | + | A parameter that contains a digest-type value as described in Section 5.1.3 of RFC 4034.<br/> |
+ | Available options are:<br/> | ||
+ | SHA-1 (SHA1) - Digest Type 1<br/> | ||
+ | SHA-256 (SHA256) - Digest Type 2<br/> | ||
+ | GOST R 34.11-94 (GOST) - Digest Type 3<br/> | ||
+ | SHA-384 (SHA384) - Digest Type 4 | ||
+ | These digest types correspond to the digest algorithm used to generate the hash of the DNSKEY record, providing cryptographic integrity for DNSSEC. It's worth noting that the use of SHA-1 is now deprecated due to vulnerabilities, and SHA-256 is recommended for better security. | ||
− | + | ||
+ | <pre>secDNS-ds digest = <TEXT></pre> | ||
A parameter that contains a digest value as described in Section 5.1.4 of RFC 4034. | A parameter that contains a digest value as described in Section 5.1.4 of RFC 4034. | ||
The parameter is represented as a hexBinary [W3C.REC-xmlschema-2-20010502]. | The parameter is represented as a hexBinary [W3C.REC-xmlschema-2-20010502]. | ||
− | |||
== Key Data Interface == | == Key Data Interface == | ||
Line 95: | Line 86: | ||
Key data may be provided OPTIONALLY when using the DS Data Interface, using these parameters: | Key data may be provided OPTIONALLY when using the DS Data Interface, using these parameters: | ||
− | + | <pre>secDNS-key# = <flags> <protocol> <alg> <pubKey> (AddDomain/ModifyDomain)</pre> | |
− | + | <pre>addsecDNS-key# = <flags> <protocol> <alg> <pubKey> (ModifyDomain)</pre> | |
− | + | <pre>delsecDNS-key# = <flags> <protocol> <alg> <pubKey> (ModifyDomain)</pre> | |
The order of these whitespace-separated parameters matches the DNS DNSKEY record type. | The order of these whitespace-separated parameters matches the DNS DNSKEY record type. | ||
− | + | <pre>secDNS-key flags = <INT></pre> | |
A parameter that contains a flags field value as described in Section 2.1.1 of RFC 4034. | A parameter that contains a flags field value as described in Section 2.1.1 of RFC 4034. | ||
− | + | <pre>secDNS-key protocol = <INT></pre> | |
A parameter that contains a protocol field value as described in Section 2.1.2 of RFC 4034. | A parameter that contains a protocol field value as described in Section 2.1.2 of RFC 4034. | ||
+ | The Protocol Field MUST have value 3, no other values are accepted. | ||
− | + | ||
+ | <pre>secDNS-key alg = <INT></pre> | ||
A parameter that contains an algorithm number field value as described in Section 2.1.3 of RFC 4034. | A parameter that contains an algorithm number field value as described in Section 2.1.3 of RFC 4034. | ||
+ | RSA/MD5 (deprecated) - Algorithm Number 1<br/> | ||
+ | Diffie-Hellman (deprecated) - Algorithm Number 2<br/> | ||
+ | DSA/SHA-1 (deprecated) - Algorithm Number 3<br/> | ||
+ | RSA/SHA-1 (deprecated) - Algorithm Number 5<br/> | ||
+ | DSA-NSEC3-SHA1 (deprecated) - Algorithm Number 6<br/> | ||
+ | RSA/SHA-1 (deprecated) - Algorithm Number 7<br/> | ||
+ | RSA/SHA-256 - Algorithm Number 8<br/> | ||
+ | DSA/SHA-1 (deprecated) - Algorithm Number 6<br/> | ||
+ | ECDSA Curve P-256 with SHA-256 - Algorithm Number 13<br/> | ||
+ | ECDSA Curve P-384 with SHA-384 - Algorithm Number 14<br/> | ||
− | ' | + | A number of these algorithms are now deprecated due to weaknesses in SHA-1. The remaining algorithms are 8, 13, and 14.<br/> |
+ | These are just a few examples of algorithm types used in DNSSEC. It's important to note that algorithm support may vary depending on the DNS software and configuration in use by the registry. | ||
+ | |||
+ | |||
+ | <pre>secdns-key pubKey = <TEXT></pre> | ||
A parameter that contains an encoded public key field value as described in Section 2.1.4 of RFC 4034. | A parameter that contains an encoded public key field value as described in Section 2.1.4 of RFC 4034. | ||
The parameter is represented as a base64Binary [W3C.REC-xmlschema-2-20010502] with a minimum length of 1. | The parameter is represented as a base64Binary [W3C.REC-xmlschema-2-20010502] with a minimum length of 1. | ||
− | |||
== Examples == | == Examples == | ||
Line 128: | Line 134: | ||
domain = org-domain.org | domain = org-domain.org | ||
− | |||
secDNS-ds0 = 27919 5 1 C9FB4F34C8C73B10B8F41D87381B1FDD8D1EE9F0 | secDNS-ds0 = 27919 5 1 C9FB4F34C8C73B10B8F41D87381B1FDD8D1EE9F0 | ||
Latest revision as of 16:25, 29 February 2024
[edit] DNSSEC (SecureDNS)
The DNSSEC extension to our API covers three (3) API commands:
We made sure to create our API to be compatible with all current and future DNSSEC enabled registry systems.
Similar to the handling of contacts and nameservers, two (2) different ways exist for a registry to manage DNSSEC data for delegations:
- DS based (e.g. .ORG)
- DNSKEY based (e.g. .de).
The HEXONET API supports both types.
Further, beyond just the required type, we have set up our system to also accept both DS and KEY data simultaneously for any TLD, so that anyone can simply submit both instead of having to determine which one is required for each TLD.
So you decide yourself if you implement the minimum requirement on a "per TLD" basis, or if you always provide DS and KEY data.
Please be advised that our nameserver cluster doesn't support DNSSEC yet, so you will need to setup your own DNSSEC enabled nameservers for now.
[edit] Supported TLDs
If DNSSEC is supported for HEXONET TLD´s, please see the respective SEC DNS column in the domain-detail view.
[edit] General parameters
secDNS-remove-all = 0 | 1 (ModifyDomain)
This parameter is used to remove all DNSSEC records (DS and key data), if set to 1. A value of 0 will do nothing.
secDNS-maxSigLife = <INT> (AddDomain/ModifyDomain)
An OPTIONAL parameter setting the preference for the number of seconds after signature generation. When the parent's signature on the DS information provided by the child will expire. There is ONLY ONE maxSigLife per domain. The use of this parameter depends on the registry operator, many TLDs will silently ignore it.
secDNS-urgent = 0 | 1 (ModifyDomain)
This parameter is used to ask the server operator to complete and implement the update request with high priority. The use of this flag depends on the registry operator, many TLDs will silently ignore it.
[edit] DS Data Interface
secDNS-ds# = <keyTag> <alg> <digestType> <digest> (AddDomain/ModifyDomain)
addsecDNS-ds# = <keyTag> <alg> <digestType> <digest> (ModifyDomain)
delsecDNS-ds# = <keyTag> <alg> <digestType> <digest> (ModifyDomain)
The order of these whitespace-separated parameters matches the DNS DS record type.
secDNS-ds keyTag = <INT>
A parameter that contains a key tag value as described in Section 5.1.1 of RFC 4034. The parameter is represented as an unsignedShort [W3C.REC-xmlschema-2-20010502].
secDNS-ds alg = <INT>
A parameter that contains an algorithm value as described in Section 5.1.2 of RFC 4034.
secDNS-ds digestType = <INT>
A parameter that contains a digest-type value as described in Section 5.1.3 of RFC 4034.
Available options are:
SHA-1 (SHA1) - Digest Type 1
SHA-256 (SHA256) - Digest Type 2
GOST R 34.11-94 (GOST) - Digest Type 3
SHA-384 (SHA384) - Digest Type 4
These digest types correspond to the digest algorithm used to generate the hash of the DNSKEY record, providing cryptographic integrity for DNSSEC. It's worth noting that the use of SHA-1 is now deprecated due to vulnerabilities, and SHA-256 is recommended for better security.
secDNS-ds digest = <TEXT>
A parameter that contains a digest value as described in Section 5.1.4 of RFC 4034. The parameter is represented as a hexBinary [W3C.REC-xmlschema-2-20010502].
[edit] Key Data Interface
Key data may be provided OPTIONALLY when using the DS Data Interface, using these parameters:
secDNS-key# = <flags> <protocol> <alg> <pubKey> (AddDomain/ModifyDomain)
addsecDNS-key# = <flags> <protocol> <alg> <pubKey> (ModifyDomain)
delsecDNS-key# = <flags> <protocol> <alg> <pubKey> (ModifyDomain)
The order of these whitespace-separated parameters matches the DNS DNSKEY record type.
secDNS-key flags = <INT>
A parameter that contains a flags field value as described in Section 2.1.1 of RFC 4034.
secDNS-key protocol = <INT>
A parameter that contains a protocol field value as described in Section 2.1.2 of RFC 4034.
The Protocol Field MUST have value 3, no other values are accepted.
secDNS-key alg = <INT>
A parameter that contains an algorithm number field value as described in Section 2.1.3 of RFC 4034.
RSA/MD5 (deprecated) - Algorithm Number 1
Diffie-Hellman (deprecated) - Algorithm Number 2
DSA/SHA-1 (deprecated) - Algorithm Number 3
RSA/SHA-1 (deprecated) - Algorithm Number 5
DSA-NSEC3-SHA1 (deprecated) - Algorithm Number 6
RSA/SHA-1 (deprecated) - Algorithm Number 7
RSA/SHA-256 - Algorithm Number 8
DSA/SHA-1 (deprecated) - Algorithm Number 6
ECDSA Curve P-256 with SHA-256 - Algorithm Number 13
ECDSA Curve P-384 with SHA-384 - Algorithm Number 14
A number of these algorithms are now deprecated due to weaknesses in SHA-1. The remaining algorithms are 8, 13, and 14.
These are just a few examples of algorithm types used in DNSSEC. It's important to note that algorithm support may vary depending on the DNS software and configuration in use by the registry.
secdns-key pubKey = <TEXT>
A parameter that contains an encoded public key field value as described in Section 2.1.4 of RFC 4034. The parameter is represented as a base64Binary [W3C.REC-xmlschema-2-20010502] with a minimum length of 1.
[edit] Examples
AddDomain/ModifyDomain parameters for DS data:
domain = org-domain.org secDNS-ds0 = 27919 5 1 C9FB4F34C8C73B10B8F41D87381B1FDD8D1EE9F0
AddDomain/ModifyDomain parameters for key data:
domain = de-domain.de secDNS-maxSigLife = 604800 secDNS-key0 = 257 3 5 AwEAAcXwGatVRLkzRgV/sFSr0h4n+u/OVDuWI7bkAgXeEc3i/dSBfcG7/k5OvhYKCq+eQYbTP/kHsQUOzQPW2dDNSgFfQYOqN4ItAbxEhc7e5b79tVThCp5vxRT1iDp57bPlB0M2vfGr3d2TwNZUmUP4RQqyycJm2KXXYpI81aY+DCzh
StatusDomain properties for DS data only:
PROPERTY[SECDNS-MAXSIGLIFE][0]=604800 PROPERTY[SECDNS-DS][0]=27919 5 1 C9FB4F34C8C73B10B8F41D87381B1FDD8D1EE9F0 PROPERTY[SECDNS-KEY][0]=
StatusDomain properties for key data only:
PROPERTY[SECDNS-MAXSIGLIFE][0]=604800 PROPERTY[SECDNS-DS][0]= PROPERTY[SECDNS-KEY][0]=257 3 5 AwEAAcXwGatVRLkzRgV/sFSr0h4n+u/OVDuWI7bkAgXeEc3i/dSBfcG7/k5OvhYKCq+eQYbTP/kHsQUOzQPW2dDNSgFfQYOqN4ItAbxEhc7e5b79tVThCp5vxRT1iDp57bPlB0M2vfGr3d2TwNZUmUP4RQqyycJm2KXXYpI81aY+DCzh
StatusDomain properties for DS data with optional key data:
PROPERTY[SECDNS-MAXSIGLIFE][0]=604800 PROPERTY[SECDNS-DS][0]=27919 5 1 C9FB4F34C8C73B10B8F41D87381B1FDD8D1EE9F0 PROPERTY[SECDNS-KEY][0]=257 3 5 AwEAAcXwGatVRLkzRgV/sFSr0h4n+u/OVDuWI7bkAgXeEc3i/dSBfcG7/k5OvhYKCq+eQYbTP/kHsQUOzQPW2dDNSgFfQYOqN4ItAbxEhc7e5b79tVThCp5vxRT1iDp57bPlB0M2vfGr3d2TwNZUmUP4RQqyycJm2KXXYpI81aY+DCzh