DNSSEC delegations

 Procedure for Requesting DNSSEC Delegations

Date: April 2012


This document describes how to request DNSSEC Delegations. It is in addition to the existing procedure for requesting reverse delegations.

[Please note that until further notice from AfriNIC, DS RECORDS will not be visible in the DNS. Watch out for upcoming news from us.]

1.0 The DOMAIN Object

You can request reverse delegation by submitting domain objects via auto-dbm(e-mail) or via MyAFRINIC, which is the recommended method[1]. DNSSEC will not mean any change to the existing authorization mechanisms.

To enable the DNSSEC delegation, the domain object now includes a "ds-rdata:" attribute.

domain: [mandatory] [single] [primary/look-up key]
descr: [mandatory] [multiple] [ ]
org: [optional] [multiple] [inverse key]
admin-c: [mandatory] [multiple] [inverse key]
tech-c: [mandatory] [multiple] [inverse key]
zone-c: [mandatory] [multiple] [inverse key]
nserver: [optional] [multiple] [inverse key]
ds-rdata: [optional] [multiple] [inverse key]
sub-dom: [optional] [multiple] [inverse key]
dom-net: [optional] [multiple] [ ]
remarks: [optional] [multiple] [ ]
notify: [optional] [multiple] [inverse key]
mnt-by: [optional] [multiple] [inverse key]
mnt-lower: [optional] [multiple] [inverse key]
refer: [optional] [single] [ ]
changed: [mandatory] [multiple] [ ]
source: [mandatory] [single] [ ]

2.0 The "ds-rdata:" Attribute

In DNSSEC, the Delegation Signer (DS) Resource Record is created from a DNSKEY Resource Record by comparing it with the public key. The parent publishes and signs the DS Resource Record.
The "ds-rdata:" attribute contains the RDATA of the DS Resource Records related to the domain (as shown in the "domain:" attribute).

Ds-rdata: 55555 8 2 CABC3A8AF15E93741BF45096DB1D3451D93B2F541166EA44F2D4781753328CB8

| | | | ;

3.0 Delegation Checks

When you submit your update through MyAFRINIC, the update engine will perform a number of check as shown by the picture below.



  • Keep all the default checks MyAfrinic does on the reverse delegation
  • Syntax check is done to ensure the DS entered is in the correct format:
      • keytag: {0-65535}; Algorithm:{3|5|6|7|8|10|12|253|254}; Digest type:{1-3}; Digest:{alphanumeric}
      • Digest length depends on digest type as follows:
      • Type 1 (Sha1): 160 bit (40 Characters)
      • Type 2 (Sha256) or 3(gost): 256 bit (64 Characters)
  • Check if a key exists in child zone with the key tag in the DS record
  • Check if the algorithm of the key matches the key algorithm in the DS attributes
  • Check if the digest matches the Key with the corresponding tag in child zone
  • Check if there an RRSIG covering the DNSKEY corresponding to the DS submitted and is valid.

[1] Currently there is no check and validation for DS submitted through auto-dbm