Hi ispconfigers, I want to sign my domain at my registrar (in my case RoTLD) DNSSEC, and in my domain DNS zone I have records like this: ISP Config 3 DNSSEC DS-Data for registry: DS-Records: domain.ro. IN DS 2523 7 1 C60ExxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxBA5B domain.ro. IN DS 2523 7 2 3CFCxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4934 14025D45 ---- My in administration panel at my registrar they ask for a key - questions is - witch one?
Also, I want to let you all know that my registrar accepts the following algorithms – key algorithms: 3 (DSA/SHA-1), 5 (RSA/SHA-1), 6 (DSA-NSEC3-SHA1), 7 (SASHA-NSEC-SHA1), 8 (RSA/SHA-256), 10 (RSA/SHA-512), 12 (GOST R 34.10-2001), 13 (ECDSA Curve P-256 with SHA-256), 14 (ECDSA Curve P-384 with SHA-384) – hash type: 1 (SHA-1) si 2 (SHA-256)
In the screenshot is just an example of them, that it just delete itself after you click on that field. In my first post, it's data from my DNS Zone.
All that is actually needed for DNSSEC to propagate is Digest (looks like this: d4c0f58bf606b2a3484fecb4db589cfb2ced05e88bc8265e9cf76a6c87049654 ) Digest hash type (usually SHA256) Key Tag (looks like: 2371 ) Algorithm (most commonly option 13, ECDSA Curve P-256 with SHA-256)
@Loveless I understand, but in my first post, I've put two lines - which one? First or the second. My registrar asks to put them in one field.
I'd try the first one. Just try, if it doesn't work, no biggy. DNSSEC is a bonus, it doesn't break your domains if it fails.
Those 2 lines are differentiated by DIGEST (hash) type, type 1 is SHA-1 , type 2 is SHA-256. You can send both, it's not a problem, but of course the 2nd one is more secure. There is a possibility to check your domain dnssec validation at dnssec-debugger.verisignlabs.com (there is also an info about DS record digest type for root domains).
My registrar asks for the following fields: 1 Key tag (which in this example I assume is 2523) 2 Algorithm (which in this example I assume is 7) 3 Flags (Either Key Signing Key or Zone signing key) 4 Public key I've tried almost any combination of my DS records but my registrar keeps giving an error. Could somebody please help me in what I need to fill in at my registrar according to above example?
It seems that you should send public info about KSK , you've got it in greyed part of your domain config (the last one). Below is an example : ; This is a key-signing key, keyid 33669, for p**.*****.*l. ; Created: 20180405142301 (Thu Apr 5 16:23:01 2018) ; Publish: 20180405142301 (Thu Apr 5 16:23:01 2018) ; Activate: 20180405142301 (Thu Apr 5 16:23:01 2018) {your.domain}. IN DNSKEY 257 3 7 {public_key_of_KSK} Ad. 1 keyid of KSK from 1st line Ad.2 Indeed 7 (SASHA-NSEC-SHA1) Ad.3 From the RFC4034 it is 257 for KSK (or 256 for ZSK) DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key. Ad. 4 Public key from uncommented last line of KSK
