As we mentioned in the section called “Upload to Parent Zone”, the format of the information you upload to your parent zone is dictated by your parent zone administrator, and the three main formats are:
- DS Record Format
- DNSKEY Format
- Trusted Key Format
ccTLDs typically maintain their own lists of registrars and should have a list of which of those support DNSSEC. ICANN maintains a list of accredited registrars who support DNSSEC for gTLDs:
Next, we will take a look at how to get each of the three formats from your existing data.
Below is an example of generating DS record formats from the KSK we
created earlier (
Kexample.com.+008+06817.key) using two
different secure hashing algorithms (SHA-1 and SHA-256, respectively):
dnssec-dsfromkey -a SHA-1 Kexample.com.+008+06817.keyexample.com. IN DS 6817 8 1 59194A835ACD78D25D538D5F35CA043A8F3F4446 #
dnssec-dsfromkey -a SHA-256 Kexample.com.+008+06817.keyexample.com. IN DS 6817 8 2 2A5F1DF55D5E64CBD7BCFE1EFA6E9586AF335FA56A2473296E975B89AFD31E11
Some registrars many ask you to manually specify the types of algorithm and digest used. In the first example, 8 represents the algorithm used, and 1 represents the digest type (SHA-1); in the second example, 8 is the algorithm, and 2 is the digest type (SHA-256). The key tag or key ID is 06817.
Alternatively, you could generate it from the DNSKEY records like this:
dig @192.168.1.13 example.com. DNSKEY | dnssec-dsfromkey -f - example.comexample.com. IN DS 6817 8 1 59194A835ACD78D25D538D5F35CA043A8F3F4446 example.com. IN DS 6817 8 2 2A5F1DF55D5E64CBD7BCFE1EFA6E9586AF335FA56A2473296E975B89AFD31E11
Below is an example of a different key ID (16027) using DNSKEY format (actual key shortened for display):
example.com. 172800 IN DNSKEY 257 3 8 (AwEAAbGOPf...AX2QHMY8=) ; key id = 16027
The key itself is easy to find (it's kind of hard to miss that big long base64 string) in the file. Remember, we want the KSK, so look for the presence of 257.
cat Kexample.com.+008+06817.key; This is a key-signing key, keyid
6817, for example.com. ; Created: 20141120094612 (Thu Nov 20 17:46:12 2014) ; Publish: 20141120094612 (Thu Nov 20 17:46:12 2014) ; Activate: 20141120094612 (Thu Nov 20 17:46:12 2014) example.com. IN DNSKEY
2573 8 AwEAAcWDps...lM3NRn/G/R
Some registrars may ask you to manually specify the type of algorithm used and the key tag number. In our example above, the chosen algorithm is 8, and the key ID is 6817.