Secured domain delegation with DNSSEC

Registrar R01 supports delegation of .RU, .SU and .РФ domain names using DNSSEC technology.

For the secured domain delegation with DNSSEC it shall be necessary to sign your domain names zone. During the signing procedure you will need to generate public and private keys and enter the public key into a file with information on your domain on the primary DNS server. At the moment of signing, DNSKEY (keyset) and DS (dsset) strings will be generated; they shall be transferred into a special field of the form in R01 account manager. The standard BIND package, version 9, includes all programs required to perform such actions.

Secondary DNS servers do not require any actions to be performed on them; however, it shall be necessary to make sure that the secondary server supports DNSSEC as well. Otherwise, it shall be necessary to activate DNSSEC support in BIND configuration file by using "dnssec-enable yes;" string.

Let's assume that your domain name is dnssec.su.

First, 2 pairs of keys shall be created:

• The first pair ZSK (Zone signing key) is used to sign a zone file.
  > dnssec-keygen -r/dev/random -a RSASHA1 -b 1024 -n ZONE dnssec.su
  Kdnssec.su.+005+25721
• The second pair KSK (Key signing key) is used to sign ZSK and generate DS records which are sent to the parent zone administrator.
  dns# dnssec-keygen -r/dev/random -f KSK -a RSASHA1 -b 1024 -n ZONE dnssec.su
  Kdnssec.su.+005.32463

dnssec-keygen program will produce file names of the created keys. Public keys (in this case, content of Kdnssec.su.+005+25721.key and Kdnssec.su.+005.32463.key files) shall be added to the domain name's zone file (usually it has the same name as the domain itself).

Then, the domain name shall be signed with ZSK key:
> dnssec-signzone -r /dev/random -o dnssec.su -k Kdnssec.su.+005+32463 dnssec.su Kdnssec.su.+005+25721.key,
where the underlined dnssec.su is the zone file name.

Note! The zone file shall be signed every time after you have changed information about the domain.

Signed version of the zone file is generated after it has been signed. By default, the name of the file with signed zone is "zone_file_name" + ".signed". Now, find (in /etc/named.conf) a string responsible for the file name, where the domain information is stored and add ".signed" into it: file dnssec.su; → file dnssec.su.signed; After that, reload "named".

Now, the only thing left is to integrate information on keys into the global DNSSEC system. Therefore, get information about DS record from dsset-dnssec.su. file which will create dnssec-signzone (in the file this string looks similar to: "dnssec.su. IN DS 29280 5 1 56CFF04E460B0FA4BCC31BDA08CFB4A98FF5140D") and the complete record which is located after DS and place these data into the corresponding fields

• Key ID (keytag)
• Signing algorithm
• Digest type
• Digest

in the description of your domain in R01 user web interface.

In fields

• Key protocol
• Key algorithm
• Public key

it shall be necessary to indicate information from keyset-dnssec.su file (everything that goes after the key type — it always equals to 257) — marked in bold.

In approximately 6 hours your domain name will be secured with DNSSEC protocol.