After creating a domain I receive three DS records I should communicate to the domain registrar. However, my domain registrar only accepts one or two records of type 257 (KSK) and wants me to specify the algorithm used.
Sure, you can use deSEC with that registrar: You don’t need to use all the DS records that we give to you. If you can use only two algorithms, I’d recommend using 2 (SHA-256) and 4 (SHA-384).
Hope that helps. If you’re still stuck, let me know!
thanks for your reply. I understand from your post, that what desec gives me as DS records I should tell my registrar when asked for KSK records.
You suggest to use the algorithms
I assume this refers to the DS keys given from desec that have 2 and 4, respectively, in the third position. Is that correct?
I could enter these two at my registrar’s UI. However, this does not match the options regarding the algorithm given by my registrar:
Please don’t take it personal, but as somebody completely new to DNSSEC, I’d appreciate a little more elaborate instructions regarding the information I have to give to my registrar. I found the information in the GUI a bit scarce. I’m familiar with DNS and I never had a case, where instructions to “enter a RR of type X” meant that a RR of type Y had to be entered.
Here the “1” in the first and the “2” in the second record are the algorithms used for calculating the DS hash. 1: SHA-1, 2: SHA-256. The “8” is the algorithm used for the referenced DNSKEY with key id “6454” (8: RSASHA256).
That being said, going back to your original question:
Based on the selection that your provider offers to you, it looks like you need to enter so-called DNSKEY values (instead of DS values). We updated the web interface just now so that the domain info box now also displays this DNSKEY value.
Regarding the instructions: We have no way of telling whether your provider requires entering DS values, or DNSKEY values. Both approaches are valid and lead to the same result, but we can’t give you instructions about that. Your provider should be clearly telling you whether DS or DNSKEY is required – if not, they may be glad about a suggestions on how to improve their interface.
Another aspect is that some providers accept the DS or DNSKEY values as whole (the whole string with multiple parts), and others want several individual fields filled out, for the algorithm etc. Would you like to make a suggestion on how to present this dichotomy more intuitively in the GUI? It would be great if you could share your feedback as a feature request at https://github.com/desec-io/desec-stack/issues/new. Thanks!
thanks for your response. I think the current documentation is already much better, as it makes clear that there are two possible ways how to enter the necessary RRs.
Maybe this would a way to display the key in your GUI as well? I.e. displaying the four fields separately with title (Type, Protocol, …) value (257, 3, …) and description (KSK, DNSSEC, …). For those users who have to enter it in one string, you could have a field “raw” or something similar which displays the values as one string like today.
I like the idea of adding more options how to deliver the key to the registrar. One way I envision is that we show the different options in tabs or expansion panels and tell the user that they need to figure out themselves which option is the one that works with their registrar.
In a far future we could add hints which popular registrar uses which method.