Delegation

R01 is the only domain registrator supporting domain delegation using DNSSEC system in RU domain zone. If you want to secure your domain that is served by a different registrator, you need to move the domain to R01. This procedure is free according to the regulations of RU domain zone.

Adding a digital signature to a domain is fairly simple. You need to generate a public key and a private key during domain registration or transfer procedure and then paste your public key to a file which contains your domain info on the primary DNS server. Signing a domain generates a DS string (dsset), which you need to copy to a specific column of the registration form. The standard package of BIND version 9 contains all the programs needed for such operations.

There's no need to do anything with the secondary DNS servers, but you must ensure that your secondary server does support DNSSEC. If it doesn't, you need to enable DNSSEC support in the BIND configuration file by adding "dnssec-enable yes;" string.

Let's assume your domain name is dnssec.ru.

You should start with creating 2 key pairs:
First pair is ZSK (Zone signing key) which is used to sign the zone file.

> dnssec-keygen -r/dev/random  -a RSASHA1 -b 1024 -n ZONE dnssec.ru
Kdnssec.ru.+005+25721

Second pair is KSK (Key signing key), which used to sign ZSK key and generate DS entries that are sent to the parent zone's administrator.

dns# dnssec-keygen -r/dev/random  -f KSK -a RSASHA1 -b 1024 -n ZONE dnssec.ru
Kdnssec.ru.+005.32463

dnssec-keygen program will report filenames of the generated keys. Public keys (in this case those are stored in Kdnssec.ru.+005+25721.key and Kdnssec.ru.+005.32463.key files) need to be added to the zone file of a domain (which usually has the same name).

Next, you need to sign your domain with the following ZSK key:

> dnssec-signzone -r /dev/random -o dnssec.ru -k Kdnssec.ru.+005+32463 dnssec.ru Kdnssec.ru.+005+25721.key

where underlined dnssec.ru is the name of a zone file.

Warning: You'll need to sign the zone file every time after domain information gets changed.

After signing a zone file its signed version will be generated. A file with a signed zone has a default name of "zone_file_name" + ".signed". Now search /etc/named.conf for a string corresponding to the name of a file which contains domain information and add .signed there: file "dnssec.ru"; --> file "dnssec.ru.signed"; Restart named afterwards.

Now you need to integrate your key information to the world DNSSEC system. To do so, take the DS entry information from dsset-dnssec.ru. file generated by dnssec-signzone (the file should contain a string similar to "dnssec.ru. IN DS 29280 5 1 56CFF04E460B0FA4BCC31BDA08CFB4A98FF5140D") and paste all the entry next to DS to "ds-rdata:" field in your domain description in the R01 user web interface.

Within 24 hours after adding "ds-rdata:" your domain will be secured with DNSSEC protocol.

You can check whether a domain is secure using UNIX command line whois utility or using whois service on the R01 site:

> whois -h whois.r01.ru dnssec.ru
domain: DNSSEC.RU
type: CORPORATE
nserver: ns.netassist.kiev.ua.
nserver: greentheatre.gpt.ru.
state: REGISTERED, DELEGATED
nic-hdl: GPT-ORG-GPT
org: Garant-Park-Telecom
phone: +7 095 7833783
fax_no: +7 095 9308800
e-mail: support@parkline.ru
reg-till: 01-03-2007
created: 01-03-2006
changed: 02-03-2006
mnt-by: GPT-ORG-GPT
registrar: R01-REG-RIPN
ds-rdata: 4518 5 1 9C29E65CD9C8A2E2DC86737E0E03E3A34FE299C8

The "ds-rdata:" string shows that your domain is secured with DNSSEC protocol and users with DNSSEC enabled can be sure that after requesting your resource they will connect exactly to your server.