Your IP address is



DNSSEC delegations


Procedure for Requesting DNSSEC Delegations (Date: April 2012 - Version:1.0)

This section describes how to request DNSSEC Delegations. It is in addition to the existing procedure for requesting reverse delegations.

Please note that until further notice from AfriNIC, DS RECORDS will not be visible in the DNS. Watch out for upcoming news from us.


1 - The DOMAIN Object

You can request reverse delegation by submitting domain objects via auto-dbm(e-mail) or via MyAFRINIC, which is the recommended method[1]. DNSSEC will not mean any change to the existing authorization mechanisms. To enable the DNSSEC delegation, the domain object now includes a "ds-rdata:" attribute.

domain: [mandatory] [single] [primary/look-up key]
descr: [mandatory] [multiple] [ ]
org: [optional] [multiple] [inverse key]
admin-c: [mandatory] [multiple] [inverse key]
tech-c: [mandatory] [multiple] [inverse key]
zone-c: [mandatory] [multiple] [inverse key]
nserver: [optional] [multiple] [inverse key]
ds-rdata: [optional] [multiple] [inverse key]
sub-dom: [optional] [multiple] [inverse key]
dom-net: [optional] [multiple] [ ]
remarks: [optional] [multiple] [ ]
notify: [optional] [multiple] [inverse key]
mnt-by: [optional] [multiple] [inverse key]
mnt-lower: [optional] [multiple] [inverse key]
refer: [optional] [single] [ ]
changed: [mandatory] [multiple] [ ]
source: [mandatory] [single] [ ]


2- The "ds-rdata:" Attribute

In DNSSEC, the Delegation Signer (DS) Resource Record is created from a DNSKEY Resource Record by comparing it with the public key. The parent publishes and signs the DS Resource Record. The "ds-rdata:" attribute contains the RDATA of the DS Resource Records related to the domain (as shown in the "domain:" attribute).

Ds-rdata: 55555 8 2 CABC3A8AF15E93741BF45096DB1D3451D93B2F541166EA44F2D4781753328CB8


3- Delegation Checks

When you submit your update through MyAFRINIC, the update engine will perform a number of check as shown by the picture below.

dnssec FlowchartDSValidation

  • Keep all the default checks MyAfrinic does on the reverse delegation
  • Syntax check is done to ensure the DS entered is in the correct format:
  • keytag: {0-65535}; Algorithm:{3|5|6|7|8|10|12|253|254}; Digest type:{1-3}; Digest:{alphanumeric}
  • Digest length depends on digest type as follows: Type 1 (Sha1): 160 bit (40 Characters) / Type 2 (Sha256) or 3(gost): 256 bit (64 Characters)
  • Check if a key exists in child zone with the key tag in the DS record
  • Check if the algorithm of the key matches the key algorithm in the DS attributes
  • Check if the digest matches the Key with the corresponding tag in child zone
  • Check if there an RRSIG covering the DNSKEY corresponding to the DS submitted and is valid.

[1] Currently there is no check and validation for DS submitted through auto-dbm

(Page 4 of 6)