DNS Security Extension

The following section outlines the format of the EPP DNS Security (DNSSEC) Extension requests. The purpose of the DNSSEC extension is to obtain a higher level of domain name identification and security within the DNS by signing domain names with keys that will identify its authenticity on requests.

 

The ZADNA and the ZACR have adopted a prudent approach of implementing DNSSEC in a coordinated and uniform manner across the .ZA namespace, from the top level to second and third levels. A successful DNSSEC implementation not only requires the implementation of the necessary technical infrastructure, but also requires a suitable policy framework and an extensive awareness campaign directed at users and services providers within .ZA. 

 

The ZADNA has published a Plan as well as a Policy and Practice Statement Framework to support DNSSEC in the .ZA namespace. The files are available for download below:

 

 

 

Table of Contents


1. DNSEC Domain Create
2. Possible Responses
   2.1. 1000: Domain Creation Successful
   2.2. Additional Responses


3.
 DNSSEC Domain Info
4. Possible Responses
  4.1. 1000: Domain Info Successful
  4.2. Additional Responses


5.
 DNSSEC Domain Update
6. Possible Responses
  6.1. 1000: Domain Update Successful
  6.2. Additional Responses
 

DNSSEC Domain Create

 

Notes

1. The <secDNS:create> element must be used to specify the DNSSEC data.

2. The <secDNS:maxSigLife> element must contain the lifespan of the applied key, in seconds.

3. Signing key information must be included in the child elements of the <secDNS:KeyData> element.

4. The <ecDNS:flags> element MUST have a value of "257". This indicates that the information to follow represents a zone signing key.

5. The <secDNS:protocol> element MUST have a value of "3".

6. The <secDNS:alg> element MUST represent the type of key being used to sign the zone. The value MUST match one fo the available values listed here. The most typical value is "8", representing a RSA/SHA256 key type.

7. The entire key must be included in the <secDNS:pubKey> element.

<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd">
  <command>
    <create>
      <domain:create xmlns:domain="urn:ietf:params:xml:ns:domain-1.0"
        xsi:schemaLocation="urn:ietf:params:xml:ns:domain-1.0 domain-1.0.xsd">
        <domain:name>exampledomain.gtld</domain:name>
        <domain:period unit="y">1</domain:period>
        <domain:ns>
          <domain:hostAttr>
            <domain:hostName>ns1.otherdomain.gtld</domain:hostName>
          </domain:hostAttr>
          <domain:hostAttr>
            <domain:hostName>ns1.exampledomain.gtld</domain:hostName>
            <domain:hostAddr ip="v6">ff02::1</domain:hostAddr>
          </domain:hostAttr>
        </domain:ns>
        <domain:registrant>RegistrantID</domain:registrant>
        <domain:contact type="admin">AdminID</domain:contact>
        <domain:contact type="tech">TechID</domain:contact>
        <domain:contact type="billing">BillingID</domain:contact>
        <domain:authInfo>
          <domain:pw>TransferPassword</domain:pw>
        </domain:authInfo>
      </domain:create>
    </create>
    <extension>
      <secDNS:create xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1">
        <secDNS:maxSigLife>60000</secDNS:maxSigLife>
        <secDNS:keyData>
          <secDNS:flags>257</secDNS:flags>
          <secDNS:protocol>3</secDNS:protocol>
          <secDNS:alg>8</secDNS:alg>
          <secDNS:pubKey>[PUBLIC KEY DATA]</secDNS:pubKey>
        </secDNS:keyData>
      </secDNS:create>
    </extension>
  </command>
</epp>


Possible Responses

 

The following are responses from the server.


1000: Domain Creation Successful


A response code of 1000 means that the domain has been successfully created and the DNSSEC key has been correctly applied to the domain.

 

<epp:epp xmlns:epp="urn:ietf:params:xml:ns:epp-1.0">
  <epp:response>
    <epp:result code="1000">
      <epp:msg>Domain Creation Successful</epp:msg>
    </epp:result>
    <epp:resData>
      <domain:creData xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
        <domain:name>exampledomain.gtld</domain:name>
        <domain:crDate>2010-01-01T11:38:01Z</domain:crDate>
        <domain:exDate>2011-01-01T11:38:01Z</domain:exDate>
      </domain:creData>
    </epp:resData>
    <epp:trID>
      <epp:svTRID>ZACR-EPP-13EF53AF366-72ABB</epp:svTRID>
    </epp:trID>
  </epp:response>
</epp:epp>

Additional Responses


The Domain Create with DNSSEC Extension is an extension of the Domain Create functionality.
Additional responses will be as listed on the Domain Create documentation available here.

 


DNSSEC Domain Info

 

Notes

1. A standard EPP Domain Info request may be sent.

2. If the domain name contains DNSSEC data, the data will be displayed in the <dnssec:infData> element and its child elements.

3. If multiple DNSSEC Keys have ben applied to a domain, all the keys will be displayed in the response.

 

<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd">
  <command>
    <info>
      <domain:info xmlns:domain="urn:ietf:params:xml:ns:domain-1.0"
        xsi:schemaLocation="urn:ietf:params:xml:ns:domain-1.0 domain-1.0.xsd">
        <domain:name hosts="all">exampledomain.gtld</domain:name>
      </domain:info>
    </info>
  </command>
</epp>


Possible Responses

 

The following are responses from the server.


1000: Domain Info Command Completed Successfully


A response code of 1000 means that the Domain Info request was completed succesfully. If the domain has DNSSEC data associated with it, the data will be in the response as exampled below.

 

<epp:epp xmlns:epp="urn:ietf:params:xml:ns:epp-1.0">
  <epp:response>
    <epp:result code="1000">
      <epp:msg>Domain Info Command completed successfully</epp:msg>
    </epp:result>
    <epp:resData>
      <domain:infData xmlns:domain="urn:ietf:params:xml:ns:domain-1.0"
        xmlns:dnssec="urn:ietf:params:xml:ns:secDNS-1.1">
        <domain:name>exampledomain.gtld</domain:name>
        <domain:roid>DOM_5-PDT</domain:roid>
        <domain:status s="ok"/>
        <domain:registrant>RegistrantID</domain:registrant>
        <domain:contact type="admin">AdminID</domain:contact>
        <domain:contact type="tech">TechID</domain:contact>
        <domain:contact type="billing">BillingID</domain:contact>
        <domain:ns>
          <domain:hostAttr>
            <domain:hostName>ns1.otherdomain.gtld</domain:hostName>
          </domain:hostAttr>
          <domain:hostAttr>
            <domain:hostName>ns2.otherdomain.gtld</domain:hostName>
          </domain:hostAttr>
        </domain:ns>
        <domain:clID>RegistrarID</domain:clID>
        <domain:crID>RegistrarID</domain:crID>
        <domain:crDate>2010-01-01T10:46:57Z</domain:crDate>
        <domain:upID>RegistrarID</domain:upID>
        <domain:upDate>2010-01-02T10:46:57Z</domain:upDate>
        <domain:exDate>2011-01-01T10:46:57Z</domain:exDate>
      </domain:infData>
    </epp:resData>
    <epp:extension>
      <dnssec:infData xmlns:dnssec="urn:ietf:params:xml:ns:secDNS-1.1"
        xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
        <dnssec:maxSigLife>604800</dnssec:maxSigLife>
        <dnssec:dsData>
          <dnssec:keyTag>17478</dnssec:keyTag>
          <dnssec:alg>8</dnssec:alg>
          <dnssec:digestType>1</dnssec:digestType>
          <dnssec:digest>49B9673AF41188F83F8FF2CF9B1F08E1B33C5796</dnssec:digest>
        </dnssec:dsData>
        <dnssec:dsData>
          <dnssec:keyTag>17479</dnssec:keyTag>
          <dnssec:alg>6</dnssec:alg>
          <dnssec:digestType>2</dnssec:digestType>
          <dnssec:digest>4E919C1C6058C73BBC3CAC14A2AB98789B4596</dnssec:digest>
        </dnssec:dsData>
      </dnssec:infData>
    </epp:extension>
    <epp:trID>
      <epp:svTRID>ZACR-EPP-13F0A108589-2B328</epp:svTRID>
    </epp:trID>
  </epp:response>
</epp:epp>

 

Additional Responses


The Domain Info with DNSSEC Extension is an extension of the Domain Info functionality.
Additional responses will be as listed on the Domain Info documentation available here.

 

 

DNSSEC Domain Update

 

Notes

1. A standard EPP Domain Update request may be sent, with the DNSSEC extension specified at the end of the XML command.

2. The <secDNS:update> element must be used as part of the extension to indicate an update is being performed.

3. To add a new key to a domain name the <secDNS:add> element must be used.

4. To remove an existing key from a domain name the  <secDNS:rem> element must be used.

5. The DNSSEC implementation DOES NOT make use if the <secDNS:chg> element. In order to change existing key information, the current key must be removed and the correct one applied.

6. In order to remove ALL KEYS associated with a domain name, the <secDNS:all> element may be used with a value of "true". This element must be declared within the <secDNS:rem> element. If this element is used with a value of "true", no aditional key data may be specified within the <secDNS:rem> element. This element may be declared with a value of "false" in which case the element will be ignored by the server.

 

<epp xmlns="urn:ietf:params:xml:ns:epp-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd">
  <command>
    <update>
      <ddomain:update xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
        <domain:name>exampledomain.gtld</domain:name>
     </domain:update>
    </update>
    <extension>
      <secDNS:update xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1">
        <secDNS:rem>
         <secDNS:all>false</secDNS:all>
         <secDNS:keyData>
             <secDNS:flags>257</secDNS:flags>
             <secDNS:protocol>3</secDNS:protocol>
             <secDNS:alg>8</secDNS:alg>
             <secDNS:pubKey>[PUBLIC KEY DATA]</secDNS:pubKey>
         </secDNS:keyData>
        </secDNS:rem>
        <secDNS:add>
         <secDNS:keyData>
           <secDNS:flags>257</secDNS:flags>
           <secDNS:protocol>3</secDNS:protocol>
           <secDNS:alg>8</secDNS:alg>
           <secDNS:pubKey>[PUBLIC KEY DATA]</secDNS:pubKey>
        </secDNS:keyData>
       </secDNS:add>
     </secDNS:update>
    </extension>
  </command>
</epp>

 

Possible Responses

 

The following are responses from the server.


1000: Domain Update Successful


A response code of 1000 means that the Domain Update request was completed succesfully. The DNSSEC data provided in the update command will be updated according to the instructions in the command. This update is instant on the server side, with the result only being in effect at the next zone publication.

 

<epp:epp xmlns:epp="urn:ietf:params:xml:ns:epp-1.0">
  <epp:response>
    <epp:result code="1000">
      <epp:msg>Domain exampledomain.gtld update successful</epp:msg>
    </epp:result>
    <epp:trID>
      <epp:svTRID>ZACR-EPP-13F090CE391-6A256</epp:svTRID>
    </epp:trID>
  </epp:response>
</epp:epp>

 

Additional Responses


The Domain Update with DNSSEC Extension is an extension of the Domain Update functionality. 
Additional responses will be as listed on the Domain Update documentation available here.

 

Last update: 09-04-2019 09:37:32

日日摸夜夜添夜夜添无码_最新亚洲中文字幕一区在线_尹人香蕉视频在线观看