[kictanet] DNSSEC - is it available again?

Mark Elkins mje at posix.co.za
Thu Mar 7 11:57:32 EAT 2019


Hi, thank you Brian for your reply.

On 2019/03/07 07:49, Brian Nyali wrote:
> Dear Mark,
>
> I trust you are well.
> Through the registry system we do accept entry of DS records, all 
> registrars can add the DS records from their interface , and if they 
> need assistance/guidance in doing so the technical team does assist.
> This information will be shared on the site and is part of the 
> registrar training scheduled for April 2019.

Perhaps the fact that you do support DNSSEC should be on you website? It 
could probably be along the lines of technical advise, such as you 
support Types 5 and 8 (RSA/SHA1 -and- RSA/SHA256) - although perhaps 
advise folk to prefer RSA/SHA256; whether you support type 13 (and 
others), the Elliptical Curve keys; and that perhaps you suggest people 
use (DS) digest type 2 in preference to type 1 ?? (more secure).

I was able to persuade the ZACR/DNS folk in ZA to do away with Digest 
type-1 for all internal purposes (i.e. to the 'root') although type-1 DS 
digests are still accepted from customers.

> Non-Kenyan based registrars are not yet allowed, one must have 
> physical presence in Kenya. However, one can become a reseller under 
> an existing registrar in the meantime.

Sad. I'm not aware that any registrars have reseller facing API's for 
automation - and that's a potential problem. DNSSEC really needs to be 
run in a totally automated manor. Its when there are humans in the 
process that things can go wrong.

Are there any plans to allow "DNS Operators" to manipulate DNSSEC 
records? That would solve that problem. I include "CDS" records in my 
customer zones (see: "dig bantex.co.ke cds")  and they should 
effectively reflect what is in the parent zone as DS records. I was 
looking at writing an RFC "tickle" that would allow a Registry to 
identify the URL necessary so that a DNS operator could call that with a 
domain name - and then have the Registry poll the Nameservers of that 
domain to look for CDS/DS changes and update on the Registry side. This 
would only work for domains where DNSSEC is switched on.

Anyway - I must thank my Kenyan Registrar for adding DNSSEC to one of my 
domains. Thanks guys.

> The KRA Pin is the Kenya Revenue Authority Taxpayer's Personal 
> Identification Number and is needed for the registry to file VAT returns.
>
> Kind regards,
> Brian Nyali.
> //
>
> ------------------------------------------------------------------------
> *From: *"Mark Elkins via kictanet" <kictanet at lists.kictanet.or.ke>
> *To: *"Brian Nyali" <brian at kenic.or.ke>
> *Cc: *"Mark Elkins" <mje at posix.co.za>
> *Sent: *Wednesday, March 6, 2019 6:27:47 PM
> *Subject: *[kictanet] DNSSEC - is it available again?
>
> Hi,
> Just did a search on DNSSEC in this group and get nothing.
>
> I see that co.ke (and ke!) is DNSSEC signed. That's Very Good.
>
> Does KeNIC accept DS records for entries in CO.KE?
>
> Do any Registrars have that in their interface?
>
> A search of "dnssec" on the KeNIC website shows nothing (I tried both 
> case)
> http://www.kenic.or.ke/index.php/en/search-results?ordering=newest&searchword=DNSSEC
>
> Lastly - Are non-Kenyan based organisations allowed to be Registrars yet?
> The Application form 
> (http://www.kenic.or.ke/images/PDF/Registrar%20Application%20Form%20Updated.pdf) 
>
> doesn't state you have to be in Kenya - though it asks for a "KRA Pin 
> Certificate" - and I've no clue what that it.
>
> I have a few co.ke domains and would love to add DNSSEC to them. My 
> systems allow for that (talks EPP) and I have about 100 DNSSEC signed 
> domains, mainly in ZA but also in other ccTLDs and GTLDs.
>
>
> -- 
> Mark James ELKINS  -  Posix Systems - (South) Africa
> mje at posix.co.za        Tel: +27.128070590  Cell: +27.826010496
> For fast, reliable, low cost Internet in ZA:https://ftth.posix.co.za
>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/KICTANet/
>
> Unsubscribe or change your options at 
> https://lists.kictanet.or.ke/mailman/options/kictanet/brian%40kenic.or.ke
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder 
> platform for people and institutions interested and involved in ICT 
> policy and regulation. The network aims to act as a catalyst for 
> reform in the ICT sector in support of the national aim of ICT enabled 
> growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors 
> online that you follow in real life: respect people's times and 
> bandwidth, share knowledge, don't flame or abuse or personalize, 
> respect privacy, do not spam, do not market your wares or qualifications.

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20190307/d438994d/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: email-footer-7.jpg
Type: image/jpeg
Size: 38855 bytes
Desc: not available
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20190307/d438994d/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hpfoelnpdkebllpn.png
Type: image/png
Size: 253929 bytes
Desc: not available
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20190307/d438994d/attachment.png>


More information about the KICTANet mailing list