Are you a registrar of domain names? Or a reseller of domain names? If so, the 2013 ICANN Registrar Accreditation Agreement (RAA) has some specific operational requirements related to DNSSEC and IPv6. These requirements are documented in “Additional Registrar Operation Specification” on page 67 of the final 2013 RAA. If you are an ICANN-accredited registrar and have not yet signed the 2013 RAA, do note that signing will be a requirement if you want to sell the new generic top-level domains (newgTLDs).
On this page we will provide you with information about both DNSSEC and IPv6 along with links to tutorials and other information you may find helpful.
The DNS Security Extensions (DNSSEC) provide a method to ensure that an attacker cannot intercept a DNS query and provide back to a user false data that might, for instance, redirect a user to a different website. You can learn the basics by viewing a 4-minute animated video.
Domain name registrars play a critical role in DNSSEC by accepting DNSSEC records (either a “DS” or “DNSKEY” record) from a registrant and relaying those securely to the registry for the top-level domain. As noted in the 2013 RAA:
Registrar must allow its customers to use DNSSEC upon request by relaying orders to add, remove or change public key material (e.g., DNSKEY or DS resource records) on behalf of customers to the Registries that support DNSSEC. Such requests shall be accepted and processed in a secure manner and according to industry best practices. Registrars shall accept any public key algorithm and digest type that is supported by the TLD of interest and appears in the registries posted at: <http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec- alg-numbers.xml> and <http://www.iana.org/assignments/ds-rr-types/ds-rr- types.xml>. All such requests shall be transmitted to registries using the EPP extensions specified in RFC 5910 or its successors.
Registrars will need to provide some mechanism such as a web interface that allows a registrant to enter this data. This could merely be an extension of your existing user interface or a new page or tab for the DNSSEC information. As noted, you will also need to be able to transmit the DNSSEC information to a TLD registry using EPP.
As examples, we have several tutorials about DNSSEC support at a few registrars. ICANN also maintains a list of registrars supporting DNSSEC where you can get a sense of what other registrars are doing and perhaps explore their sites for more information.
The 2013 RAA also requires that registrars be able to accept IPv6 addresses for DNS records. For instance, a registrant may want to enter a “AAAA” record for the IPv6 address of his/her website. The RAA states:
To the extent that Registrar offers registrants the ability to register nameserver addresses, Registrar must allow both IPv4 addresses and IPv6 addresses to be specified.
This may require changes to your web interface to allow the longer IPv6 addresses to be entered. If you specify which DNS records your users are able to enter, you may need to add “AAAA” as a possible choice. Other existing records such as NS records will need to also be able to accommodate IPv6 addresses.
Now, allowing IPv6 addresses to be added into DNS zone files will not be all that your users will ask of you. You will also need to publish that information over IPv6 from your authoritative name servers. This will mean that you will need to have IPv6 connectivity to your name servers. Visit our resource on DNS Considerations for IPv6 for more detail on this process. For more general information about IPv6 see our list of IPv6 resources.