DNSSEC - is it available again?
Hi, Just did a search on DNSSEC in this group and get nothing. I see that co.ke (and ke!) is DNSSEC signed. That's Very Good. Does KeNIC accept DS records for entries in CO.KE? Do any Registrars have that in their interface? A search of "dnssec" on the KeNIC website shows nothing (I tried both case) http://www.kenic.or.ke/index.php/en/search-results?ordering=newest&searchword=DNSSEC Lastly - Are non-Kenyan based organisations allowed to be Registrars yet? The Application form (http://www.kenic.or.ke/images/PDF/Registrar%20Application%20Form%20Updated.p...) doesn't state you have to be in Kenya - though it asks for a "KRA Pin Certificate" - and I've no clue what that it. I have a few co.ke domains and would love to add DNSSEC to them. My systems allow for that (talks EPP) and I have about 100 DNSSEC signed domains, mainly in ZA but also in other ccTLDs and GTLDs. -- Mark James ELKINS - Posix Systems - (South) Africa mje@posix.co.za Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
Hello Mark, Will answer part of your question with regards to KeNIC allowing registrars update DS records. Yes they do allow and it’s pretty straight forward too. This can be done on registrar interface provided by KeNIC. Attached is an example of one of my domains signed. Hope this answers part of your question. On Wed, 6 Mar 2019 at 18:28, Mark Elkins via kictanet < kictanet@lists.kictanet.or.ke> wrote:
Hi, Just did a search on DNSSEC in this group and get nothing.
I see that co.ke (and ke!) is DNSSEC signed. That's Very Good.
Does KeNIC accept DS records for entries in CO.KE?
Do any Registrars have that in their interface?
A search of "dnssec" on the KeNIC website shows nothing (I tried both case)
http://www.kenic.or.ke/index.php/en/search-results?ordering=newest&searchword=DNSSEC
Lastly - Are non-Kenyan based organisations allowed to be Registrars yet? The Application form ( http://www.kenic.or.ke/images/PDF/Registrar%20Application%20Form%20Updated.p...)
doesn't state you have to be in Kenya - though it asks for a "KRA Pin Certificate" - and I've no clue what that it.
I have a few co.ke domains and would love to add DNSSEC to them. My systems allow for that (talks EPP) and I have about 100 DNSSEC signed domains, mainly in ZA but also in other ccTLDs and GTLDs.
-- Mark James ELKINS - Posix Systems - (South) Africamje@posix.co.za Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/toilemgodwin%40gmail.c...
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-- Kind Regards, Toilem Poriot Godwin *Be not afraid of greatness. Some are born great, some achieve greatness, and some have greatness thrust upon ‘em — WILLIAM SHAKESPEARE*
Dear Mark, I trust you are well. Through the registry system we do accept entry of DS records, all registrars can add the DS records from their interface , and if they need assistance/guidance in doing so the technical team does assist. This information will be shared on the site and is part of the registrar training scheduled for April 2019. Non-Kenyan based registrars are not yet allowed, one must have physical presence in Kenya. However, one can become a reseller under an existing registrar in the meantime. The KRA Pin is the Kenya Revenue Authority Taxpayer's Personal Identification Number and is needed for the registry to file VAT returns. Kind regards, Brian Nyali. From: "Mark Elkins via kictanet" <kictanet@lists.kictanet.or.ke> To: "Brian Nyali" <brian@kenic.or.ke> Cc: "Mark Elkins" <mje@posix.co.za> Sent: Wednesday, March 6, 2019 6:27:47 PM Subject: [kictanet] DNSSEC - is it available again? Hi, Just did a search on DNSSEC in this group and get nothing. I see that co.ke (and ke!) is DNSSEC signed. That's Very Good. Does KeNIC accept DS records for entries in CO.KE? Do any Registrars have that in their interface? A search of "dnssec" on the KeNIC website shows nothing (I tried both case) [ http://www.kenic.or.ke/index.php/en/search-results?ordering=newest&searchword=DNSSEC | http://www.kenic.or.ke/index.php/en/search-results?ordering=newest&searchword=DNSSEC ] Lastly - Are non-Kenyan based organisations allowed to be Registrars yet? The Application form ( [ http://www.kenic.or.ke/images/PDF/Registrar%20Application%20Form%20Updated.p... | http://www.kenic.or.ke/images/PDF/Registrar%20Application%20Form%20Updated.p... ] ) doesn't state you have to be in Kenya - though it asks for a "KRA Pin Certificate" - and I've no clue what that it. I have a few co.ke domains and would love to add DNSSEC to them. My systems allow for that (talks EPP) and I have about 100 DNSSEC signed domains, mainly in ZA but also in other ccTLDs and GTLDs. -- Mark James ELKINS - Posix Systems - (South) Africa [ mailto:mje@posix.co.za | mje@posix.co.za ] Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: [ https://ftth.posix.co.za/ | https://ftth.posix.co.za ] _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/brian%40kenic.or.ke The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
Hi, thank you Brian for your reply. On 2019/03/07 07:49, Brian Nyali wrote:
Dear Mark,
I trust you are well. Through the registry system we do accept entry of DS records, all registrars can add the DS records from their interface , and if they need assistance/guidance in doing so the technical team does assist. This information will be shared on the site and is part of the registrar training scheduled for April 2019.
Perhaps the fact that you do support DNSSEC should be on you website? It could probably be along the lines of technical advise, such as you support Types 5 and 8 (RSA/SHA1 -and- RSA/SHA256) - although perhaps advise folk to prefer RSA/SHA256; whether you support type 13 (and others), the Elliptical Curve keys; and that perhaps you suggest people use (DS) digest type 2 in preference to type 1 ?? (more secure). I was able to persuade the ZACR/DNS folk in ZA to do away with Digest type-1 for all internal purposes (i.e. to the 'root') although type-1 DS digests are still accepted from customers.
Non-Kenyan based registrars are not yet allowed, one must have physical presence in Kenya. However, one can become a reseller under an existing registrar in the meantime.
Sad. I'm not aware that any registrars have reseller facing API's for automation - and that's a potential problem. DNSSEC really needs to be run in a totally automated manor. Its when there are humans in the process that things can go wrong. Are there any plans to allow "DNS Operators" to manipulate DNSSEC records? That would solve that problem. I include "CDS" records in my customer zones (see: "dig bantex.co.ke cds") and they should effectively reflect what is in the parent zone as DS records. I was looking at writing an RFC "tickle" that would allow a Registry to identify the URL necessary so that a DNS operator could call that with a domain name - and then have the Registry poll the Nameservers of that domain to look for CDS/DS changes and update on the Registry side. This would only work for domains where DNSSEC is switched on. Anyway - I must thank my Kenyan Registrar for adding DNSSEC to one of my domains. Thanks guys.
The KRA Pin is the Kenya Revenue Authority Taxpayer's Personal Identification Number and is needed for the registry to file VAT returns.
Kind regards, Brian Nyali. //
------------------------------------------------------------------------ *From: *"Mark Elkins via kictanet" <kictanet@lists.kictanet.or.ke> *To: *"Brian Nyali" <brian@kenic.or.ke> *Cc: *"Mark Elkins" <mje@posix.co.za> *Sent: *Wednesday, March 6, 2019 6:27:47 PM *Subject: *[kictanet] DNSSEC - is it available again?
Hi, Just did a search on DNSSEC in this group and get nothing.
I see that co.ke (and ke!) is DNSSEC signed. That's Very Good.
Does KeNIC accept DS records for entries in CO.KE?
Do any Registrars have that in their interface?
A search of "dnssec" on the KeNIC website shows nothing (I tried both case) http://www.kenic.or.ke/index.php/en/search-results?ordering=newest&searchword=DNSSEC
Lastly - Are non-Kenyan based organisations allowed to be Registrars yet? The Application form (http://www.kenic.or.ke/images/PDF/Registrar%20Application%20Form%20Updated.p...)
doesn't state you have to be in Kenya - though it asks for a "KRA Pin Certificate" - and I've no clue what that it.
I have a few co.ke domains and would love to add DNSSEC to them. My systems allow for that (talks EPP) and I have about 100 DNSSEC signed domains, mainly in ZA but also in other ccTLDs and GTLDs.
-- Mark James ELKINS - Posix Systems - (South) Africa mje@posix.co.za Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA:https://ftth.posix.co.za
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/brian%40kenic.or.ke
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-- Mark James ELKINS - Posix Systems - (South) Africa mje@posix.co.za Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
participants (3)
-
Brian Nyali -
Mark Elkins -
Toilem Godwin