Add DNSSEC key

This page allows upload of keys to use for DNSSEC signing of the zone. The uploaded key file must be in "private key format" version 1.2, as generated by the dnssec-keygen utility provided with the BIND DNS server software. The dnssec-keygen binary is also installed together with the local BIND secondary in the 'named' subdirectory of the NameSurfer installation.

The key types recognized and accepted by the key parser are RSA-MD5 (type 1), RSA-SHA1 (type 5) and DSA (type 3) as specified in the DNSSEC specification. However, only RSA-SHA1 is currently supported, and the other key types will not be functional even though they are accepted to be uploaded on the server.

Issued on

This field is used to set the start date for the validity of the key, and is automatically filled with the current date.

Expires at

This field indicated the date after which the key should not be used for signing any more, and all signatures generated using it should be removed.

Key role

A DNSSEC key can be either a zone signing key, used to sign all resource record sets in a zone, or a key signing key, used only to sign the set of keys that is used to sign the zone. Every DNSSEC signed zone should have at least one of both with the mandatory key type 5.

IMPORTANT: DNSSEC support is currently experimental

The DNSSEC support in FusionLayer NameSurfer is currently experimental and thus may not necessarily be in 1:1 compliance with the related standards (RFCs 4033-4035 and other related documents). As this is work in progress, the functionality will be continually improved in the upcoming releases, and the first implementation of DNSSEC support is not recommended to be used in demanding production environments.