Registrar only supports KSK, not DS

After creating a domain I receive three DS records I should communicate to the domain registrar. However, my domain registrar only accepts one or two records of type 257 (KSK) and wants me to specify the algorithm used.

Any chance to use desec with this registrar?

Hi some-user,

Thanks for your message, and welcome to deSEC! :slight_smile:

Sure, you can use deSEC with that registrar: You don’t need to use all the DS records that we give to you. If you can use only two algorithms, I’d recommend using 2 (SHA-256) and 4 (SHA-384).

Hope that helps. If you’re still stuck, let me know!

Stay secure,
Peter

Hi @peter,

thanks for your reply. I understand from your post, that what desec gives me as DS records I should tell my registrar when asked for KSK records.

You suggest to use the algorithms

I assume this refers to the DS keys given from desec that have 2 and 4, respectively, in the third position. Is that correct?
I could enter these two at my registrar’s UI. However, this does not match the options regarding the algorithm given by my registrar:

1 (RSA/MD5)
2 (Diffie Hellmann)
3 (DSA/SHA-1)
4 (Elliptic Curves)
...
8 (RSA/SHA-256)
10 (RSA/SHA-512)
...
14 (ECDSAP384SHA384)

Please don’t take it personal, but as somebody completely new to DNSSEC, I’d appreciate a little more elaborate instructions regarding the information I have to give to my registrar. I found the information in the GUI a bit scarce. I’m familiar with DNS and I never had a case, where instructions to “enter a RR of type X” meant that a RR of type Y had to be entered.

Hi @some-user.

I think @peter is referring to RFC 8624 Section 3.3 DS and CDS Algorithms. Your list is more similar to (but not matching) Section 3.1 DNSKEY Algorithms of the same RFC?

And yes the output of e.g. dig(1) would list the algorithm used for the DS hash in the third position after the the “DS” record type:

$ dig desec.io DS
…
;; ANSWER SECTION:
desec.io.		43315	IN	DS	6454 8 1 24396E17E36D031F71C354B06A979A67A01F503E
desec.io.		43315	IN	DS	6454 8 2 5CBA665A006F6487625C6218522F09BD3673C25FA10F25CB18459AA1 0DF1F520
…
$

Here the “1” in the first and the “2” in the second record are the algorithms used for calculating the DS hash. 1: SHA-1, 2: SHA-256. The “8” is the algorithm used for the referenced DNSKEY with key id “6454” (8: RSASHA256).

That being said, going back to your original question:

So it seems they actually want the public key, not the DS record. This is ok, as a DS record can be calculated from the key. @peter essentialy answered the same question here: DS-Records currently not supported!?.

I’ll let @peter handle your critisism of the documentation but I think I can guess his response, as this is an open source project :wink:

HTH

fiwswe

Hi some-user,

Based on the selection that your provider offers to you, it looks like you need to enter so-called DNSKEY values (instead of DS values). We updated the web interface just now so that the domain info box now also displays this DNSKEY value.

Regarding the instructions: We have no way of telling whether your provider requires entering DS values, or DNSKEY values. Both approaches are valid and lead to the same result, but we can’t give you instructions about that. Your provider should be clearly telling you whether DS or DNSKEY is required – if not, they may be glad about a suggestions on how to improve their interface.

Another aspect is that some providers accept the DS or DNSKEY values as whole (the whole string with multiple parts), and others want several individual fields filled out, for the algorithm etc. Would you like to make a suggestion on how to present this dichotomy more intuitively in the GUI? It would be great if you could share your feedback as a feature request at https://github.com/desec-io/desec-stack/issues/new. Thanks!

Stay secure,
Peter

1 Like

Hi @peter,

thanks for your response. I think the current documentation is already much better, as it makes clear that there are two possible ways how to enter the necessary RRs.

My registrar displays the fields like this:

Maybe this would a way to display the key in your GUI as well? I.e. displaying the four fields separately with title (Type, Protocol, …) value (257, 3, …) and description (KSK, DNSSEC, …). For those users who have to enter it in one string, you could have a field “raw” or something similar which displays the values as one string like today.

I like the idea of adding more options how to deliver the key to the registrar. One way I envision is that we show the different options in tabs or expansion panels and tell the user that they need to figure out themselves which option is the one that works with their registrar.

In a far future we could add hints which popular registrar uses which method.

I like the tabs idea!