Ascio Web Service v2
DNSSEC - Domain Name System Security Extensions
DnsSecKey
This short document will give you an overview of what you need to do to create a DNSSEC Handle and what small steps are needed. If your DNS provider offers you DNSSEC he should have made the relevant data visible to you if not you can create the data manually if you have some basic understanding go ISC Bind Tools and DNS. With Ascio you can create DNSSEC Handles in 3 different ways:
- Digest
- Public Key
- Both
In most cases, only the Digest needs to be published in ASCIO DB.
- First of all the DNSSEC keys have to be created.
- Next step is to create the DIGEST.
- This should be done on the DNS server where the DNSSEC keys are stored for the domains or you do it manually by building the key file by hand from a dns query.
DNS Query by hand and create the digest
To get the key via dns query dig DNSKEY getlost.ch and you would get something like:
getlost.ch. | 21600 | IN | 257 | 3 | 7 | IN | AwEAAZI6QOGu1ufPahKerQzTp+wWQ96Qh5hKXIMOTNVF1D+rsbMBau4f zUmz+Lh/E8r9FSC3/X71p4HDCFPwT9OFp2J2eSPUBclZmwYfLRs1J4aA oWgCr5HI5G5MV6X/GGAB8U0gBrlwRZPAyELEIINbnEHblMIrIpUQkVH9 rOiwN81fDtrnjr2QrMpMz8rRBoj8TBKr9yXAT49RrJeAfLL0SgU= |
From there you modify the file to have something like below:
getlost.ch. | 21600 | IN | 257 | 3 | 7 | IN | (AwEAAZI6QOGu1ufPahKerQzTp+wWQ96Qh5hKXIMOTNVF1D+rsbMBau4f zUmz+Lh/E8r9FSC3/X71p4HDCFPwT9OFp2J2eSPUBclZmwYfLRs1J4aA oWgCr5HI5G5MV6X/GGAB8U0gBrlwRZPAyELEIINbnEHblMIrIpUQkVH9 rOiwN81fDtrnjr2QrMpMz8rRBoj8TBKr9yXAT49RrJeAfLL0SgU=); key id = 54951 |
After you created the key file or are on the DNS server, you can use the Bind tools to do the following:
-
dnssec-dsfromkey.exe -a sha256 getlost.ch.54951.key
- getlost.ch. IN DS 54951 7 2 22DDF38B4A30E9A765C5AB4380CBBB016E1890EA10567FF567D906106AFFA3D9
-
-a sha256
or-a sha1
can be used - What you need to know is what Key generation algorithm to use. In most cases "RSA-SHA1-NSEC3" is used.
- In most cases "RSA-SHA1-NSEC3" is used. With all that you can fill out the Create DNSSEC Key Handle template.
Usage
Please use the numbers in brackets for the DigestAlgorithm, DigestType, KeyAlgorithm and KeyType. Please use the nameserver update order-type to update the DnsSec.
Following TLDs support DNSSEC:
as, at, be, co.at, ch, de, nu, co.nz, net.nz, com.sg, co.uk, biz, no, pl, org.nz, per.sg, se, com.pt, nl, eu, com, net, org, ee, ni, net.sg, org.sg, sg, com.ee, edu.pt, edu.sg, int.sg, nz, uy, med.ee, fie.ee, org.ee, pri.ee, ac.nz, mobi, xn--55qx5d, ar.com, xxx, xn--io0a7i, dental, camera, clothing, lighting, ski, bio, immo, archi, singles, ventures, investments, associates, xn--czrs0t, energy, trading, voyage, guru, holdings, equipment, bike, estate, xn--ngbc5azd, contractors, land, plumbing, gallery, graphics, technology, guide, construction, directory, enterprises, kitchen, tips, today, photography, diamonds, careers, shoes, coffee, domains, limo, photos, recipes, viajes, cab, computer, codes, email, academy, accountants, agency, bargains, boutique, builders, business, camp, capital, cards, care, cash, catering, center, cheap, claims, cleaning, clinic, community, company, condos, cool, credit, creditcard, cruises, dating, digital, education, engineering, events, exchange, exposed, fail, fan, farm, finance, financial, fitness, flights, florist, foundation, fund, games, glass, gripe, haus, healthcare, holiday, hospital, house, industries, institute, insure, international, lease, maison, management, medical, network, partners, parts, pets, pictures, productions, properties, reisen, rentals, repair, report, schule, services, solar, solutions, sports, supplies, supply, support, surgery, systems, tax, tienda, tools, tours, town, toys, training, university, vacations, villas, vin, vision, watch, works, wtf, zone, xn--unup4y, xn--vhquv, apartments, coach, coupons, direct, discount, expert, express, fish, forsale, gold, jewelry, marketing, media, plus, rent, theater, tires, abogado, abudhabi, accountant, actor, adult, africa, airforce, alsace, amsterdam, architect, army, attorney, bank, bar, beer, berlin, bid, black, blackfriday, blue, brussels, build, buzz, bzh, cam, capetown, car, career, casa, christmas, click, college, cologne, consulting, cooking, corsica, country, creditunion, cymru, dance, date, dds, degree, democrat, dentist, desi, dot, download, durban, earth, engineer, eus, faith, fans, fishing, fit, frl, futbol, gal, game, gent, gift, gives, gop, green, guitars, hamburg, hiphop, hiv, horse, host, how, immobilien, ink, jetzt, joburg, kaufen, kim, kiwi, koeln, kyoto, lat, lgbt, link, loan, lol, london, lotto, ltda, luxe, luxury, market, melbourne, men, menu, miami, mls, moda, moe, mom, mortgage, moscow, nagoya, navy, ngo, ninja, nrw, nyc, okinawa, one, ong, onl, ooo, osaka, paris, party, photo, physio, pics, pink, porn, press, pub, qpon, quebec, red, rehab, reise, republican, rest, review, reviews, rich, rip, rocks, rodeo, ruhr, ryukyu, saarland, science, sex, sexy, shiksha, social, software, soy, space, sport, srl, stream, surf, swiss, sydney, taipei, tattoo, tirol, tokyo, top, trade, uno, vegas, versicherung, vet, vlaanderen, vodka, vote, voting, voto, wales, wang, webcam, website, whoswho, wien, wiki, win, work, xyz, yokohama, auction, audio, auto, baby, band, bingo, blog, cafe, cars, casino, charity, chat, church, city, cloud, cricket, deals, delivery, design, doctor, dog, family, fashion, film, flowers, football, furniture, fyi, garden, gifts, global, gmbh, golf, gratis, group, health, hockey, hosting, insurance, juegos, law, lawyer, legal, life, live, llc, loans, love, ltd, mba, memorial, money, movie, news, now, online, pizza, place, poker, property, racing, restaurant, run, sale, salon, sarl, school, shop, shopping, show, site, soccer, studio, style, sucks, taxi, team, tech, tennis, tickets, tube, video, wedding, wine, world, yoga, xn--fjq720a, xn--80adxhks, xn--80asehdb, xn--c1avg, xn--p1acf, xn--80aswg, xn--mgbab2bd, xn--4gbrim, xn--i1b6b1a6a2e, xn--q9jyb4c, xn--t60b56a, xn--mk1bu44c, xn--rhqv96g, xn--nyqy26a, xn--45q11c, xn--czru2d, xn--czr694b, xn--xhq521b, xn--6qq986b3xl, xn--nqv7f, xn--tqq33ed31aqia, xn--6frz82g, xn--ses554g, xn--hxt814e, xn--3bst00m, monash, ceo, xn--kcrx77d1x4a (.Philips), hermes, cba, philips, commbank, netbank, icu, sandvik, sandvikcoromant, walter, vista, webs, vistaprint, cern, scor, schmidt, cuisinella, sew, translations, boots, saxo, giving, barclays, barclaycard, alstom, premium, best, bydgoszcz.pl, olsztyn.pl, radom.pl, szczecin.pl, warszawa.pl, wroclaw.pl, limited, xn--kcrx77d1x4a, hk.com, hk.org, ltd.hk, inc.hk, com.se, xn--h2brj9c, irish, rio, abbott, active, afl, allfinanz, aquarelle, bloomberg, bond, canon, cartier, cbn, cfd, chloe, courses, crs, dabur, datsun, dclk, dev, doosan, dvag, epson, erni, eurovision, everbank, firmdale, flsmidth, forex, ggee, gmx, goldpoint, goo, goog, guge, hangout, ibm, ifm, infiniti, iwc, java, jcb, kddi, komatsu, lacaixa, latrobe, lds, leclerc, lidl, lotte, maif, mango, markets, marriott, mma, mormon, mtpc, nico, nissan, ntt, oracle, panerai, piaget, pohl, samsung, schwarz, shriram, sky, spreadbetting, study, temasek, toshiba, trust, wme, wtc, xin, xn--b4w605ferd, xn--flw351e, xn--qcka1pmc, yodobashi, zuerich, xn--45brj9c, xn--fpcrj9c3d, xn--gecrj9c, xn--mgbbh1a71e, xn--xkc2dl3a5ee0h, xn--s9brj9c, xn--p5b2bfp5fh3fra.xn--45brj9c, xn--hdc1b4ch5i.xn--gecrj9c, xn--d9b2bf3g1k.xn--s9brj9c, xn--vlccpku2dp3h.xn--xkc2dl3a5ee0h, xn--goc1b4ch5i8a.xn--fpcrj9c3d, xn--fhbed7t1n.xn--mgbbh1a71e, xn-p5b2bfp5fh3fra.xn-45brj9c, xn--9dbq2a, aig, amica, apple, beats, boehringer, bostik, cityeats, comsec, fairwinds, grainger, lifestyle, obi, sfr, sharp, travelers, vana, verisign, virgin, aarp, kfh, kpn, norton, redumbrella, symantec, travelersinsurance, trv, xn--ngbe9e0a, lier.no, mil.no, audi, baidu, bosch, bugatti, clinique, doha, firestone, lamborghini, lamer, meo, origins, rexroth, sapo, shell, statefarm, weber, xn--jlq61u9w7b, xn--kpu716f, xn--pbt977c, xn--vermgensberater-ctb, xn--vermgensberatung-pwb, vig, author, bot, call, circle, compare, edeka, fast, fox, gdn, got, jot, joy, like, makeup, pin, promo, read, room, safe, schaeffler, select, skin, smile, stockholm, tiffany, tushu, volkswagen, wanggou, watches, weather, weatherchannel, xn--eckvdtc9d, zero, alibaba, alipay, analytics, dealer, deloitte, ford, fresenius, frontier, gallup, jmp, lanxess, lincoln, nikon, pamperedchef, quest, sas, softbank, taobao, tmall, adac, avianca, chase, flickr, hdfcbank, helsinki, iselect, jpmorgan, lifeinsurance, natura, pwc, telecity, viking, yahoo, xn--e1a4c, ally, barefoot, flir, ftr, gallo, jnj, lipsy, metlife, next, nextdirect, sina, weibo, xn--9krt00a, xn--mgbca7dzdo, aetna, dtv, guardian, hkt, locker, mattel, mlb, nowtv, olayan, olayangroup, ollo, ott, pccw, progressive, richardli, sbi, statebank, warman, xn--fzys8d69uvgm, xn--mgba7c0bbn0a, xn--w4rs40l, chintai, dhl, epost, tdk, unicom, ups, xn--8y0a063a, gs.hm.no, bo.it, me.it, ra.it, tn.it, va.it, fe.it, treviso.it, is.it, co.cz, lt.it, sicilia.it, bg.it, bs.it, brescia.it, mi.it, ms.it, cosenza.it, novara.it, pv.it, ri.it, rm.it, padova.it, pd.it, roma.it, cl.it, rc.it, vv.it, modena.it, cam.it, fi.it, bz.it, torino.it, veneto.it, trentino.it, palermo.it, milano.it, ro.it, to.it, go.it, lazio.it, abruzzo.it, marche.it, sardegna.it, calabria.it, puglia.it, basilicata.it, campania.it, molise.it, umbria.it, toscana.it, emiliaromagna.it, friuliveneziagiulia.it, trentinoaltoadige.it, lombardia.it, liguria.it, piemonte.it, valledaosta.it, castelnuovo.tn.it., castelnuovo.tn.it
Property | Description |
---|---|
Handle | Example: "JD123" |
Status | |
DigestAlgorithm | DSA-SHA1 (3), RSA-SHA1 (5), DSA-SHA1-NSEC3 (6), RSA-SHA1-NSEC3 (7), RSA-SHA256 (8), RSA-SHA512 (10), ECC-GOST (12), ECDSAP256-SHA256 (13) Example: "RSA-SHA256" |
DigestType | SHA-1 (1), SHA-256 (2) Example: "SHA-256" |
Digest | Example: "846E5ED4AB6788032B89393619752F662CF2B7B2046A8EC0804DF88F1469AC1E" |
Protocol | 3 |
KeyType | Zone Signing Key (256), Key Signing Key (257) |
KeyAlgorithm | DSA-SHA1 (3), RSA-SHA1 (5), DSA-SHA1-NSEC3 (6), RSA-SHA1-NSEC3 (7), RSA-SHA256 (8), RSA-SHA512 (10), ECC-GOST (12), ECDSAP256-SHA256 (13) |
KeyTag | Example: "2224" |
PublicKey | |
CreDate |
# DnsSecKey
dnsSecKey = {
"DigestAlgorithm" : "RSA-SHA256",
"DigestType" : "SHA-256",
"Digest" : "846E5ED4AB6788032B89393619752F662CF2B7B2046A8EC0804DF88F1469AC1E",
"KeyTag" : "2224",
"PublicKey" : "PublicKeyTest"
}
https://aws.demo.ascio.com/2012/01/01/AscioService.wsdl (OTE)
https://aws.ascio.com/2012/01/01/AscioService.wsdl (Live)
Please configure the IP-Whitelisting in the portal/demo-portal.