Your IP address is 44.212.96.86
initiatives_bnr

AFRINIC DNSSEC Service

 

DNSSEC delegations

 

Procedure for Requesting DNSSEC Delegations (Date: April 2012 - Version:1.0)

This section describes how to request DNSSEC Delegations. It is in addition to the existing procedure for requesting reverse delegations.

Please note that until further notice from AfriNIC, DS RECORDS will not be visible in the DNS. Watch out for upcoming news from us.

 

1 - The DOMAIN Object

You can request reverse delegation by submitting domain objects via auto-dbm(e-mail) or via MyAFRINIC, which is the recommended method[1]. DNSSEC will not mean any change to the existing authorization mechanisms. To enable the DNSSEC delegation, the domain object now includes a "ds-rdata:" attribute.

domain: [mandatory] [single] [primary/look-up key]
descr: [mandatory] [multiple] [ ]
org: [optional] [multiple] [inverse key]
admin-c: [mandatory] [multiple] [inverse key]
tech-c: [mandatory] [multiple] [inverse key]
zone-c: [mandatory] [multiple] [inverse key]
nserver: [optional] [multiple] [inverse key]
ds-rdata: [optional] [multiple] [inverse key]
sub-dom: [optional] [multiple] [inverse key]
dom-net: [optional] [multiple] [ ]
remarks: [optional] [multiple] [ ]
notify: [optional] [multiple] [inverse key]
mnt-by: [optional] [multiple] [inverse key]
mnt-lower: [optional] [multiple] [inverse key]
refer: [optional] [single] [ ]
changed: [mandatory] [multiple] [ ]
source: [mandatory] [single] [ ]

 

2- The "ds-rdata:" Attribute

In DNSSEC, the Delegation Signer (DS) Resource Record is created from a DNSKEY Resource Record by comparing it with the public key. The parent publishes and signs the DS Resource Record. The "ds-rdata:" attribute contains the RDATA of the DS Resource Records related to the domain (as shown in the "domain:" attribute).

Ds-rdata: 55555 8 2 CABC3A8AF15E93741BF45096DB1D3451D93B2F541166EA44F2D4781753328CB8

 

3- Delegation Checks

When you submit your update through MyAFRINIC, the update engine will perform a number of check as shown by the picture below.

dnssec FlowchartDSValidation

  • Keep all the default checks MyAfrinic does on the reverse delegation
  • Syntax check is done to ensure the DS entered is in the correct format:
  • keytag: {0-65535}; Algorithm:{3|5|6|7|8|10|12|253|254}; Digest type:{1-3}; Digest:{alphanumeric}
  • Digest length depends on digest type as follows: Type 1 (Sha1): 160 bit (40 Characters) / Type 2 (Sha256) or 3(gost): 256 bit (64 Characters)
  • Check if a key exists in child zone with the key tag in the DS record
  • Check if the algorithm of the key matches the key algorithm in the DS attributes
  • Check if the digest matches the Key with the corresponding tag in child zone
  • Check if there an RRSIG covering the DNSKEY corresponding to the DS submitted and is valid.

[1] Currently there is no check and validation for DS submitted through auto-dbm

(Page 4 of 6)

Profile Information

Application afterLoad: 0.002 seconds, 0.71 MB
Application afterInitialise: 0.082 seconds, 2.70 MB
Application afterRoute: 0.118 seconds, 5.96 MB
Application afterDispatch: 0.160 seconds, 7.61 MB
Application afterRender: 0.339 seconds, 10.33 MB

Memory Usage

10873424

9 queries logged

  1. SELECT m.*, c.`option` AS component
      FROM www3menu AS m
      LEFT JOIN www3components AS c
      ON m.componentid = c.id
      WHERE m.published = 1
      ORDER BY m.sublevel, m.parent, m.ordering
  2. SELECT jf_content.reference_field, jf_content.VALUE, jf_content.reference_id, jf_content.original_value

      FROM www3jf_content AS jf_content

      WHERE jf_content.language_id=1
           
      AND jf_content.published=1
       
      AND jf_content.reference_id IN(1,11,20,304,324,262,231,275,340,393,791,661,12,51,348,805,831,13,52,154,795,14,24,53,793,15,797,16,62,803,17,799,68,97,27,387,619,191,221,172,170,76,171,337,418,521,845,175,174,177,237,176,499,511,455,481,523,547,671,184,185,188,423,837,527,179,181,204,235,156,158,159,384,475,675,629,160,161,162,157,192,621,268,270,266,321,264,265,338,416,483,519,843,276,283,278,282,477,677,279,631,280,281,429,277,382,305,306,307,308,424,835,317,330,318,319,320,325,326,327,328,529,341,342,343,345,350,349,408,351,354,745,489,509,356,479,525,549,673,388,400,403,404,405,406,419,513,399,394,396,397,395,617,615,663,665,801,414,163,731,733,735,737,715,739,741,789,743,269,271,272,292,289,290,291,293,294,339,295,420,386,807,811,285,286,288,819,383,287,515,567,809,817,415,284,633,763,315,312,561,563,565,767,314,380,517,332,333,334,335,336,370,346,347,311,378,787,352,364,362,365,833,719,366,367,368,411,412,453,825,379,357,358,359,360,361,371,431,459,463,467,469,471,473,531,533,537,539,541,543,545,599,609,601,605,485,487,491,493,495,497,551,553,557,559,841,573,575,577,579,581,583,585,591,589,777,779,813,749,751,753,755,747,757,759,761,783,373,374,375,376,721,417,829,669,353,413,461,535,781,727,667,611,597,603,815,769,635,637,639,641,645,643,647,649,651,653,655,657,659,785,821,823,827,697,701,703,705,707,709,711)
       
      AND jf_content.reference_table='menu'
  3. SELECT *
      FROM www3rokcandy
      WHERE published=1
  4. SELECT template
      FROM www3templates_menu
      WHERE client_id = 0
      AND (menuid = 0 OR menuid = 97)
      ORDER BY menuid DESC
      LIMIT 0, 1
  5. SELECT a.*, u.name AS author, u.usertype, cc.title AS category, s.title AS SECTION, CASE WHEN CHAR_LENGTH(a.alias) THEN CONCAT_WS(":", a.id, a.alias) ELSE a.id END AS slug, CASE WHEN CHAR_LENGTH(cc.alias) THEN CONCAT_WS(":", cc.id, cc.alias) ELSE cc.id END AS catslug, g.name AS groups, s.published AS sec_pub, cc.published AS cat_pub, s.access AS sec_access, cc.access AS cat_access  
      FROM www3content AS a
      LEFT JOIN www3categories AS cc
      ON cc.id = a.catid
      LEFT JOIN www3sections AS s
      ON s.id = cc.SECTION
      AND s.scope = "content"
      LEFT JOIN www3users AS u
      ON u.id = a.created_by
      LEFT JOIN www3groups AS g
      ON a.access = g.id
      WHERE a.id = 689
      AND (  ( a.created_by = 0 )    OR  ( a.state = 1
      AND ( a.publish_up = '0000-00-00 00:00:00' OR a.publish_up <= '2023-12-08 13:57:09' )
      AND ( a.publish_down = '0000-00-00 00:00:00' OR a.publish_down >= '2023-12-08 13:57:09' )   )    OR  ( a.state = -1 )  )
  6. SELECT jf_content.reference_field, jf_content.VALUE, jf_content.reference_id, jf_content.original_value

      FROM www3jf_content AS jf_content

      WHERE jf_content.language_id=1
           
      AND jf_content.published=1
       
      AND jf_content.reference_id IN(689)
       
      AND jf_content.reference_table='content'
  7. SELECT *
      FROM www3jcomments_settings

      WHERE lang = 'en-GB'
  8. SELECT id, title, module, POSITION, content, showtitle, control, params
      FROM www3modules AS m
      LEFT JOIN www3modules_menu AS mm
      ON mm.moduleid = m.id
      WHERE m.published = 1
      AND m.access <= 0
      AND m.client_id = 0
      AND ( mm.menuid = 97 OR mm.menuid = 0 )
      ORDER BY POSITION, ordering
  9. SELECT jf_content.reference_field, jf_content.VALUE, jf_content.reference_id, jf_content.original_value

      FROM www3jf_content AS jf_content

      WHERE jf_content.language_id=1
           
      AND jf_content.published=1
       
      AND jf_content.reference_id IN(79,137,138,330,35,326,331,131,347,345,329,237,243,292,335)
       
      AND jf_content.reference_table='modules'

Language Files Loaded

Untranslated Strings Diagnostic

None

Untranslated Strings Designer

None