 |
|
Acceptable Usage Policy
- The intention of this service is for people to test how DNSSEC works, through queries and the responses received. It is NOT intented for people to test high query rates.
- The maximum permitted query rate is:
- 100 queries per second per user
- If this query rate is exceeded then the offending user will be blocked.
- Please note that domain names in these test zones are pointed to the IANA's DNSSEC testbed root server, NOT one of the 13 Root Servers.
- These data, including the signed labels, are purely for test purposes and are not to be used in any production capacity. We do not guarantee their availability, and they may not otherwise function from time-to-time.
User Registration
- One user registration per individual.
- Unique registration is defined by the email AND the username.
Domain Registration
- Each user may register multiple domain names within the test bed.
- The domain names will be unique within the test bed (and only within the test bed, i.e. it does not affect .my DOMAIN REGISTRY's Production Registry System). If the domain name has been registered before, you would receive a message saying that you are unable to register that domain name.
- Domain Names can be deleted from the list of domains that you have registered.
- Steps to register a domain name:
- Login using your account.
- Click on Domains on the left menu.
- Type your domain name and click on the button "Add New Domain".
- If you domain is available, choose the name server type, i.e. either you are using your own name server, or the Test bed name servers
- Click Submit.
- A message will appear if the registration of the new domain is successful or not.
Name Servers for the domain registered
- You may register the primary and secondary name servers for your domain name using EITHER 1 of the 2 types of name servers. They are either:
- Test bed name servers
- Own name servers
- Once the type of name servers is selected, it CANNOT be changed to the other type.
E.g., if you begin by selecting Test bed name servers as my name server, you cannot edit the name server later to refer to your own servers, and vice versa.
- You would need to remove the domain from the system and register it again if you decided to change from Test bed name servers to your own name servers, or vice versa.
- Alternatively, you may want to just add another domain name using the desired name server type, since this is on a test bed.
- Own Name Servers
- You can edit those name servers that you have added on your own (i.e. NOT Test bed name servers) through "Manage Name Server" section on the left-hand side menu. However, you may NOT change the name server handle to the one used by Test bed name server. By using your own name servers, you may add up to 6 name servers into the system.
- If the user uses their own name servers, it is expected that they prepare their own zone files for this test bed.
Test Bed Name Servers
- If you have attached the domain with Test bed name servers, you may NOT:
- edit the name servers,
- change to another handle or
- add any additional name servers.
- Zone files will be created and a record added into named.conf for the domain name in our primary name server (ns1.dnshost.my). A record will also be added into the named.conf on the secondary name servers (ns2.dnshost.my) so that zone transfers can happen.
- An additional Tab on the left-hand Menu (Domains->Manage DNS Host Keys) will be available to manage the Keys that are used for signing the zone. This will help you understand how the Key Rollover process can be done.
- When those domain names are deleted, it will be removed from both the primary and secondary name servers.
DNSSEC
- The DNSSEC tab on the left-hand side menu will allow the .my zone to grab the DS Keys from the Primary Name Server of the domain.
- Please note that you may need to wait (the most, 5 minutes) for the .my zone to publish the newly added domain name.
- Upon (successfully) loading the DNSSEC page for the first time, the DS Keys will be grabbed automatically from the Primary Name Server.
- The Keys retrieved will be stored in the database.
- For subsequent access to this DNSSEC page, no automatical retrieval from Primary Name Server will be done. Only when the button "Update Key List" is clicked will the attempt to grab the DS Keys from the Primary Name Server again.
- The keys that are no longer in the list of newly retrieved keys will be archived and the new keys will be seen on the list instead.
- When a domain name (that has already been signed) is deleted, the DS Keys will be archived.
Manage DNS Host Keys
- The "Manage DNS Host Keys" tab on the left-hand side menu will allow you to manage the keys, i.e. Generating new Keys and Rollover, Removal of Old Keys, etc.
- For this testbed, there is no fixed policy at the moment in regards to how long the keys will be valid.
- However, the keys will be signed with the lifespan of 90 days.
- The only rules that govern the rollover is twice the value of the zone file TTL.
- For the sake of testing, the TTL has been set to 60 seconds, so that the maximum time that you need to wait is just 2 minutes (2 x 1 minute) to try the rollover.
- In essence, the Key Rollover Processes are shown below:
ZSK Rollover
KSK Rollover
Setup to Your DNS Root Hint
- If you are using your own DNS for your test domains, you MUST point your DNS root hint to the test bed root server.
- You may refer to the information through the "DNS Root Hint" tab at the left menu.
Setup Your Trust Anchors
- You can setup trust anchors in your own DNS cache server.
- Click on the "Adding Trust Anchor to DNS Cache Server" on the left menu.
- Copy the trusted key to your name server.
- Submit your name DNS Cache Server IP address to us.
|
|
