DNSSEC

The Domain Name System (DNS) is a globally-distributed Internet service. Among other services, it provides name-to-number (forward) and number-to-name (reverse) translations using defined client-server and server-server protocols. The DNS is a public service, and any user is freely able to query the DNS for forward or reverse translations.

How does it work?

When the DNS looks up particular information (DNS lookup), the answers are digitally signed allowing the DNS client (resolver) to check if the information is identical to the information on the authoritative name server. This ensures that outgoing Internet traffic is always sent to the correct servers. New record types were created to facilitate this:

  • RRSIG – Resource Record Signature
  • DNSKEY – DNS Public Key
  • DS – Delegation Signer
  • NSEC – Next Secure

Security Extensions

DNS Security (DNSSEC) protects the Internet from certain attacks, such as forging DNS data, that can redirect Internet traffic to fraudulent websites. DNSSEC is a set of extensions to the DNS that provide:

  • Authentication of the origin of DNS data
  • Data integrity
  • Authenticated denial of existence

How can you update domain objects in MyAPNIC?

Using the Whois template to update a single domain object

Add an optional attribute field “ds-rdata” to your domain object and enter your DS resource records.

Using the Bulk update form to update multiple domain objects

Attach your plain text zone file containing your Name Server and/or DS resource records:

        Example:

0.168.192.in-addr.arpa. 86400 IN NS new.ns1.apnic.net.
0.168.192.in-addr.arpa. 86400 IN NS new.ns2.apnic.net.
0.168.192.in-addr.arpa. 86400 IN DS 33736 5 1
      4B7ABE2701C6A6F34C479EBDDBC9706C91A4B454
0.168.192.in-addr.arpa. 86400 IN DS 33736 5 2
      B1E76175EC4F7AEF17EC5DBD3BA24EA19728C96FAC
      8713C008030EBB FD7A28FC

APNIC operational settings

The following values are the operational parameters used by APNIC for our DNSSEC:

Key sizes
KSK is 2048-bit ZSK is 1024-bit
Roll-over frequency
KSK – mid-May after 02:00 (UTC +10) ZSK – monthly on the 1st of the month after 02:00 (UTC +10)
Zone re-sign frequency
Daily at 00:00 (UTC +10)
Signature validity
RRSIGs are valid for 30 days