I have signed my zone using your plugin, now what?

As you know DNSSEC works by following a chain of trust in which "child keys" are validated by "parent keys". Every key in a zone is validated by the zone above it. So in order for the DNSSEC validation to work properly the domain's key must be validated at the TLD level. This is done by storing the DS (Delegation Signer) record of the domain, which is a hash of its KSK, in the TLD.

- The DS record contains a cryptographic hash of child’s KSK.
- A zone’s DS records only appear in its parent zone along with NS records at a delegation point.

This “DS record” at the parent name server is what binds your signed domain into the larger “chain of trust.

How to add DS record to the Registrar?

To get the DS record:

* Login to your WHM ( https://<your_server_ip>:2087/ )

* Navigate to plugin section and click on DNSSEC Manager Standard Edition (cPanel) v1.0

* Click on the link that says "Show DS" against your domain.

Your dsset file has two lines. One is your KSK and one is your ZSK. You need to first add KSK key at registrar and then ZSK.

The following information in the DS record will have to be provided to your regisrar to get the DS record setup there:

* Key Tag

* Algorithm

* Digest Type

* Digest

For example in the DS record shown below:

test123.com. IN DS 39151 5 1 0C1615B3C20D36C0EF3272A25CA0469AD929C312

Key Tag = 39151
Algorithm = 5 (RSA/SHA)
Digest type = 1 (SHA-1) [For SHA-256 this will be 2]
Digest = 0C1615B3C20D36C0EF3272A25CA0469AD929C312

Repeat this for the second line, note that Digest type will change to 2 and your key on DSSET is like this: "6695CD1AEBDCFD2E0530361234564E67F9D4202BBE34FD719B8EB97F 3B12345F" . You may need to remove the space.

Knowledgebase

Categories

Categories

How to add DS record to the Registrar?

Related Articles

Tag Cloud

Support