Working with Parent Zone

As we mentioned in the section called “Upload to Parent Zone”, the format of the information you upload to your parent zone is dictated by your parent zone administrator, and the three main formats are:

  1. DS Record Format
  2. DNSKEY Format
  3. Trusted Key Format

ccTLDs typically maintain their own lists of registrars and should have a list of which of those support DNSSEC. ICANN maintains a list of accredited registrars who support DNSSEC for gTLDs:

https://www.icann.org/resources/pages/deployment-2012-02-25-en

Next, we will take a look at how to get each of the three formats from your existing data.

DS Record Format

Below is an example of generating DS record formats from the KSK we created earlier (Kexample.com.+008+06817.key) using two different secure hashing algorithms (SHA-1 and SHA-256, respectively):

# cd /etc/bind/keys/example.com
# dnssec-dsfromkey -a SHA-1 Kexample.com.+008+06817.key
example.com. IN DS 6817 8 1 59194A835ACD78D25D538D5F35CA043A8F3F4446
# dnssec-dsfromkey -a SHA-256 Kexample.com.+008+06817.key
example.com. IN DS 6817 8 2 2A5F1DF55D5E64CBD7BCFE1EFA6E9586AF335FA56A2473296E975B89AFD31E11

Some registrars many ask you to manually specify the types of algorithm and digest used. In the first example, 8 represents the algorithm used, and 1 represents the digest type (SHA-1); in the second example, 8 is the algorithm, and 2 is the digest type (SHA-256). The key tag or key ID is 06817.

Alternatively, you could generate it from the DNSKEY records like this:

$ dig @192.168.1.13 example.com. DNSKEY | dnssec-dsfromkey -f - example.com
example.com. IN DS 6817 8 1 59194A835ACD78D25D538D5F35CA043A8F3F4446
example.com. IN DS 6817 8 2 2A5F1DF55D5E64CBD7BCFE1EFA6E9586AF335FA56A2473296E975B89AFD31E11

DNSKEY Format

Below is an example of a different key ID (16027) using DNSKEY format (actual key shortened for display):

example.com. 172800 IN DNSKEY 257 3 8 (AwEAAbGOPf...AX2QHMY8=) ; key id = 16027

The key itself is easy to find (it's kind of hard to miss that big long base64 string) in the file. Remember, we want the KSK, so look for the presence of 257.

# cd /etc/bind/keys/example.com
# cat Kexample.com.+008+06817.key
; This is a key-signing key, keyid 6817, for example.com.
; Created: 20141120094612 (Thu Nov 20 17:46:12 2014)
; Publish: 20141120094612 (Thu Nov 20 17:46:12 2014)
; Activate: 20141120094612 (Thu Nov 20 17:46:12 2014)
example.com. IN DNSKEY 257 3 8 AwEAAcWDps...lM3NRn/G/R

Some registrars may ask you to manually specify the type of algorithm used and the key tag number. In our example above, the chosen algorithm is 8, and the key ID is 6817.

Trusted Key Format

This format is very similar to the DNSKEY format, the differences are mostly cosmetic. Below is an example of trusted-keys format (again, actual key shortened for display):

"example.com." 257 3 8 "AwEAAbGOPf...9AX2QHMY8=";