Not familiar with DNSSEC at all. Need help. Done the part in ispconfig dns zone. Got the following for 13 (ECDSAP256SHA256) --------- start ------------- DS-Records: example.com. IN DS 4122 13 2 ####################################################### ------------------------------------ DNSKEY-Records: ; This is a key-signing key, keyid 4122, for example.com. ; Created: 20230408063901 (Sat Apr 8 14:39:01 2023) ; Publish: 20230408063901 (Sat Apr 8 14:39:01 2023) ; Activate: 20230408063901 (Sat Apr 8 14:39:01 2023) example.com. IN DNSKEY 257 3 13 ############################################################################## ; This is a zone-signing key, keyid 25722, for example.com. ; Created: 20230408063901 (Sat Apr 8 14:39:01 2023) ; Publish: 20230408063901 (Sat Apr 8 14:39:01 2023) ; Activate: 20230408063901 (Sat Apr 8 14:39:01 2023) example.com. IN DNSKEY 256 3 13 ############################################################################# ----------- end ----------- The registrar is asking for the following. ---------- start ---------------- before I can fully refer this to our Domains Team, please do me a favor to respond to this email with the DNSSEC requirements below. • DS record • Digest • Digest type • Algorithm • Public key • Key tag • Flags ----------- end ---------------- What do I fill in for the above?
You can find an explanation of the DS record format here: https://www.dynu.com/Resources/DNS-Records/DS-Record
Thank you very much for the link. It was very useful. I managed to fill up most of the requirements. Most of it was already in the DS record. Got a few more questions. 1. Which is the public key? key-signing key or zone-signing key? 2. can DS records digest have a space? I ask because mine has a space in the digest 3. Where can I find the "Flags"? Just incase others are reading this, this is the breakdown from the link above. This is for the following DS record. example.com. IN DS 4122 13 2 ####################################################### Key Tag: 4122 Algorithm: 13 Digest Type: 2 Digest: ########################################## ############################### Protocol: 3 from the docs in the internet, this is always 3. Please correct me if I am wrong. Public Key: ? Flags: ? Come to think about it, do I have to hide the digest? It will end up in the dns, correct?
After reading some internet articles, it seems the zone-signing key is the public key. Is this correct?
Found out some information about the space in the digest. Seems like I have to remove the space when submitting to the registrar. "The second DS record in the dsset-example.com. file had a space in the digest, but when entering it in the form you should omit it. Click Next, click Finish and Save the records." Got the above from https://www.digitalocean.com/commun...-dnssec-on-an-authoritative-bind-dns-server-2 What is the Public Key? What is the Flags? Not sure why the registrar is ask for them? Do they really need it?
Looks like the Flag is always 257. " Sometimes domain registrars may require or ask for other information, depending on the top-level domain (TLD) registry: Public key (base64 string such as 9gP/WrSoitGLYmyl…TuqqaWKOpBFLaQ==) Flags (always 257) or Key type (key-signing key or KSK) Protocol (always 3) Maximum signature lifetime (optional, only used for .ORG; leave blank) " Got the information from the following website. https://cloud.google.com/community/tutorials/dnssec-cloud-dns-domains Now only left with the public key. Where can I get the public key?
In the first message at the top of this topic, I have copied what I saw in ispconfig gui. Is that what you are saying? It has two keys, which on should I submit? It has zone signing key and key sigining key. Or should I submit both? Sorry for the trouble. I am really new at DNSSEC.
Usually all you need to give is the KSK (Key Signing Key) (AKA 257) and the algorithm (When using ISPConfig currently it's 13 by default). Which provider is this?
