<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi, thank you Brian for your reply.</p>
<div class="moz-cite-prefix">On 2019/03/07 07:49, Brian Nyali wrote:<br>
</div>
<blockquote type="cite"
cite="mid:1643841366.2313083.1551937772288.JavaMail.zimbra@kenic.or.ke">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div id="zimbraEditorContainer" style="font-family: trebuchet
ms,sans-serif; font-size: 12pt; color: #000000" class="4">
<div><span style="font-family: "trebuchet ms",
sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"
data-mce-style="font-family: 'trebuchet ms', sans-serif;
font-size: 12pt; color: #000000;">Dear Mark,</span></div>
<div><br data-mce-bogus="1">
</div>
<div><span style="font-family: "trebuchet ms",
sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"
data-mce-style="font-family: 'trebuchet ms', sans-serif;
font-size: 12pt; color: #000000;">I trust you are well.</span></div>
<div><span style="font-family: "trebuchet ms",
sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"
data-mce-style="font-family: 'trebuchet ms', sans-serif;
font-size: 12pt; color: #000000;">Through the registry
system we do accept entry of DS records, all registrars can
add the DS records from their interface , and if they need
assistance/guidance in doing so the technical team does
assist.</span></div>
<div><span style="font-family: "trebuchet ms",
sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"
data-mce-style="font-family: 'trebuchet ms', sans-serif;
font-size: 12pt; color: #000000;">This information will be
shared on the site and is part of the registrar training
scheduled for April 2019.</span></div>
</div>
</blockquote>
<p>Perhaps the fact that you do support DNSSEC should be on you
website? It could probably be along the lines of technical advise,
such as you support Types 5 and 8 (RSA/SHA1 -and- RSA/SHA256) -
although perhaps advise folk to prefer RSA/SHA256; whether you
support type 13 (and others), the Elliptical Curve keys; and that
perhaps you suggest people use (DS) digest type 2 in preference to
type 1 ?? (more secure).<br>
<br>
I was able to persuade the ZACR/DNS folk in ZA to do away with
Digest type-1 for all internal purposes (i.e. to the 'root')
although type-1 DS digests are still accepted from customers.<br>
</p>
<blockquote type="cite"
cite="mid:1643841366.2313083.1551937772288.JavaMail.zimbra@kenic.or.ke">
<div id="zimbraEditorContainer" style="font-family: trebuchet
ms,sans-serif; font-size: 12pt; color: #000000" class="4">
<div><span style="color: rgb(0, 0, 0); font-family:
"trebuchet ms", sans-serif; font-size: 12pt;
font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 400; letter-spacing:
normal; orphans: 2; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); float: none; display:
inline !important;" data-mce-style="color: #000000;
font-family: 'trebuchet ms', sans-serif; font-size: 12pt;
font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 400; letter-spacing:
normal; orphans: 2; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: #ffffff; float: none; display: inline
!important;"><span style="font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 400; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255,
255, 255); float: none; display: inline !important;"
data-mce-style="font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 400; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: #ffffff;
float: none; display: inline !important;"><span
style="font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; orphans: 2; text-align: start;
text-indent: 0px; text-transform: none; white-space:
normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color:
rgb(255, 255, 255); float: none; display: inline
!important;" data-mce-style="font-style: normal;
font-variant-ligatures: normal; font-variant-caps:
normal; font-weight: 400; letter-spacing: normal;
orphans: 2; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: #ffffff; float: none; display: inline
!important;">Non-Kenyan based registrars are not yet
allowed, one must have physical presence in Kenya.
However, one can become a reseller under an existing
registrar in the meantime.</span></span></span></div>
</div>
</blockquote>
<p>Sad. I'm not aware that any registrars have reseller facing API's
for automation - and that's a potential problem. DNSSEC really
needs to be run in a totally automated manor. Its when there are
humans in the process that things can go wrong.<br>
<br>
Are there any plans to allow "DNS Operators" to manipulate DNSSEC
records? That would solve that problem. I include "CDS" records in
my customer zones (see: "dig bantex.co.ke cds") and they should
effectively reflect what is in the parent zone as DS records. I
was looking at writing an RFC "tickle" that would allow a Registry
to identify the URL necessary so that a DNS operator could call
that with a domain name - and then have the Registry poll the
Nameservers of that domain to look for CDS/DS changes and update
on the Registry side. This would only work for domains where
DNSSEC is switched on.</p>
<p>Anyway - I must thank my Kenyan Registrar for adding DNSSEC to
one of my domains. Thanks guys.<br>
</p>
<blockquote type="cite"
cite="mid:1643841366.2313083.1551937772288.JavaMail.zimbra@kenic.or.ke">
<div id="zimbraEditorContainer" style="font-family: trebuchet
ms,sans-serif; font-size: 12pt; color: #000000" class="4">
<div><span style="color: rgb(0, 0, 0); font-family:
"trebuchet ms", sans-serif; font-size: 12pt;
font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 400; letter-spacing:
normal; orphans: 2; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); float: none; display:
inline !important;" data-mce-style="color: #000000;
font-family: 'trebuchet ms', sans-serif; font-size: 12pt;
font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 400; letter-spacing:
normal; orphans: 2; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: #ffffff; float: none; display: inline
!important;"><span style="font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 400; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255,
255, 255); float: none; display: inline !important;"
data-mce-style="font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 400; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: #ffffff;
float: none; display: inline !important;"><span
style="font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; orphans: 2; text-align: start;
text-indent: 0px; text-transform: none; white-space:
normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color:
rgb(255, 255, 255); float: none; display: inline
!important;" data-mce-style="font-style: normal;
font-variant-ligatures: normal; font-variant-caps:
normal; font-weight: 400; letter-spacing: normal;
orphans: 2; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: #ffffff; float: none; display: inline
!important;">The KRA Pin is the Kenya Revenue Authority
Taxpayer's <span style="font-style: normal;
font-variant-ligatures: normal; font-variant-caps:
normal; font-weight: 400; letter-spacing: normal;
orphans: 2; text-align: left; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); float: none;
display: inline !important;"
data-mce-style="font-style: normal;
font-variant-ligatures: normal; font-variant-caps:
normal; font-weight: 400; letter-spacing: normal;
orphans: 2; text-align: left; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: #ffffff; float: none; display:
inline !important;">Personal Identification Number and
is needed for the registry to file VAT returns.</span></span></span></span>
<div style="clear: both;" data-mce-style="clear: both;"><br
data-mce-bogus="1">
</div>
</div>
<div data-marker="__SIG_PRE__">
<div><span style="font-family: 'trebuchet ms', sans-serif;"
data-mce-style="font-family: 'trebuchet ms', sans-serif;">Kind
regards,</span><br>
<span style="font-family: 'trebuchet ms', sans-serif; color:
#000000;" data-mce-style="font-family: 'trebuchet ms',
sans-serif; color: #000000;">Brian Nyali.</span></div>
<div><img src="cid:part1.59396CFC.796BD65E@posix.co.za"
data-mce-src="home/brian@kenic.or.ke/Briefcase/email-footer-7.jpg"
doc="Briefcase/email-footer-7.jpg" class=""></div>
<div><span style="font-family: 'trebuchet ms', sans-serif;
font-size: 10pt; color: #333333;"
data-mce-style="font-family: 'trebuchet ms', sans-serif;
font-size: 10pt; color: #333333;"><em style="margin: 0px;
padding: 0px; border: 0px; vertical-align: baseline;"
data-mce-style="margin: 0px; padding: 0px; border: 0px;
vertical-align: baseline;"> </em></span></div>
</div>
<div><br>
</div>
<hr id="zwchr" data-marker="__DIVIDER__">
<div data-marker="__HEADERS__"><b>From: </b>"Mark Elkins via
kictanet" <a class="moz-txt-link-rfc2396E" href="mailto:kictanet@lists.kictanet.or.ke"><kictanet@lists.kictanet.or.ke></a><br>
<b>To: </b>"Brian Nyali" <a class="moz-txt-link-rfc2396E" href="mailto:brian@kenic.or.ke"><brian@kenic.or.ke></a><br>
<b>Cc: </b>"Mark Elkins" <a class="moz-txt-link-rfc2396E" href="mailto:mje@posix.co.za"><mje@posix.co.za></a><br>
<b>Sent: </b>Wednesday, March 6, 2019 6:27:47 PM<br>
<b>Subject: </b>[kictanet] DNSSEC - is it available again?<br>
</div>
<div><br>
</div>
<div data-marker="__QUOTED_TEXT__">
<p>Hi,<br>
Just did a search on DNSSEC in this group and get nothing.</p>
<p>I see that co.ke (and ke!) is DNSSEC signed. That's Very
Good.</p>
<p>Does KeNIC accept DS records for entries in CO.KE?</p>
<p>Do any Registrars have that in their interface?</p>
<p>A search of "dnssec" on the KeNIC website shows nothing (I
tried both case)<br>
<a class="moz-txt-link-freetext"
href="http://www.kenic.or.ke/index.php/en/search-results?ordering=newest&searchword=DNSSEC"
target="_blank" moz-do-not-send="true">http://www.kenic.or.ke/index.php/en/search-results?ordering=newest&searchword=DNSSEC</a></p>
<p><img src="cid:part3.CD1BC871.7C2479B5@posix.co.za" alt=""
class="" width="423" height="155"></p>
<p>Lastly - Are non-Kenyan based organisations allowed to be
Registrars yet?<br>
The Application form
(<a class="moz-txt-link-freetext"
href="http://www.kenic.or.ke/images/PDF/Registrar%20Application%20Form%20Updated.pdf"
target="_blank" moz-do-not-send="true">http://www.kenic.or.ke/images/PDF/Registrar%20Application%20Form%20Updated.pdf</a>)
<br>
doesn't state you have to be in Kenya - though it asks for a
"KRA Pin Certificate" - and I've no clue what that it. <br>
<br>
I have a few co.ke domains and would love to add DNSSEC to
them. My systems allow for that (talks EPP) and I have about
100 DNSSEC signed domains, mainly in ZA but also in other
ccTLDs and GTLDs.<br>
</p>
<p><br>
</p>
<pre class="moz-signature">--
Mark James ELKINS - Posix Systems - (South) Africa
<a class="moz-txt-link-abbreviated" href="mailto:mje@posix.co.za" target="_blank" moz-do-not-send="true">mje@posix.co.za</a> Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: <a class="moz-txt-link-freetext" href="https://ftth.posix.co.za" target="_blank" moz-do-not-send="true">https://ftth.posix.co.za</a>
</pre>
<br>
_______________________________________________<br>
kictanet mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:kictanet@lists.kictanet.or.ke">kictanet@lists.kictanet.or.ke</a><br>
<a class="moz-txt-link-freetext" href="https://lists.kictanet.or.ke/mailman/listinfo/kictanet">https://lists.kictanet.or.ke/mailman/listinfo/kictanet</a><br>
Twitter: <a class="moz-txt-link-freetext" href="http://twitter.com/kictanet">http://twitter.com/kictanet</a><br>
Facebook: <a class="moz-txt-link-freetext" href="https://www.facebook.com/KICTANet/">https://www.facebook.com/KICTANet/</a><br>
<br>
Unsubscribe or change your options at
<a class="moz-txt-link-freetext" href="https://lists.kictanet.or.ke/mailman/options/kictanet/brian%40kenic.or.ke">https://lists.kictanet.or.ke/mailman/options/kictanet/brian%40kenic.or.ke</a><br>
<br>
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder
platform for people and institutions interested and involved
in ICT policy and regulation. The network aims to act as a
catalyst for reform in the ICT sector in support of the
national aim of ICT enabled growth and development.<br>
<br>
KICTANetiquette : Adhere to the same standards of acceptable
behaviors online that you follow in real life: respect
people's times and bandwidth, share knowledge, don't flame or
abuse or personalize, respect privacy, do not spam, do not
market your wares or qualifications.<br>
</div>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Mark James ELKINS - Posix Systems - (South) Africa
<a class="moz-txt-link-abbreviated" href="mailto:mje@posix.co.za">mje@posix.co.za</a> Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: <a class="moz-txt-link-freetext" href="https://ftth.posix.co.za">https://ftth.posix.co.za</a>
</pre>
</body>
</html>