Turn on DNSSEC for new Cloud DNS TLDs

we set the "denial of existence" to NSEC (rather than NSEC3), because preventing "walking the zone" isn't an issue for TLDs. It uses the default security configuration for everything else, which at the time of this writing is: Key signing: RSASHA256, key length of 2048 Zone signing: RSASHA256, key length of 1024 ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=179045575
2025-05-13 16:07:15 +02:00 · 2017-12-14 08:06:13 -08:00 · 2017-12-14 08:06:13 -08:00 · d5d29959b4
commit d5d29959b4
parent 0d3ec66259
2 changed files with 25 additions and 15 deletions
--- a/java/google/registry/tools/CreateCdnsTld.java
+++ b/java/google/registry/tools/CreateCdnsTld.java
@ -23,6 +23,7 @@ import com.google.api.client.json.JsonFactory;
 import com.google.api.client.json.jackson2.JacksonFactory;
 import com.google.api.services.dns.Dns;
 import com.google.api.services.dns.model.ManagedZone;
+import com.google.api.services.dns.model.ManagedZoneDnsSecConfig;
 import com.google.common.annotations.VisibleForTesting;
 import google.registry.config.RegistryConfig.Config;
 import java.io.IOException;
@ -58,16 +59,18 @@ class CreateCdnsTld extends ConfirmingCommand {

  private static final String KEY_VALUE_FORMAT = "  %s = %s";

-  private ManagedZone requestBody;
+  private ManagedZone managedZone;

  @Override
  protected void init() throws IOException, GeneralSecurityException {
-    requestBody = new ManagedZone();
-    requestBody.setDescription(description);
-    // TODO(b/67413698): allow parameterizing the nameserver set once it's safe to do so.
-    requestBody.setNameServerSet("cloud-dns-registry-test");
-    requestBody.setDnsName(dnsName);
-    requestBody.setName((name != null) ? name : dnsName);
+    managedZone =
+        new ManagedZone()
+            .setDescription(description)
+            // TODO(b/67413698): allow parameterizing the nameserver set once it's safe to do so.
+            .setNameServerSet("cloud-dns-registry-test")
+            .setDnsName(dnsName)
+            .setName((name != null) ? name : dnsName)
+            .setDnssecConfig(new ManagedZoneDnsSecConfig().setNonExistence("NSEC").setState("ON"));
  }

  @Override
@ -75,7 +78,7 @@ class CreateCdnsTld extends ConfirmingCommand {
    return String.format(
        "Creating TLD with:\n%s\n%s",
        String.format(KEY_VALUE_FORMAT, "projectId", projectId),
-        requestBody
+        managedZone
            .entrySet()
            .stream()
            .map(entry -> String.format(KEY_VALUE_FORMAT, entry.getKey(), entry.getValue()))
@ -85,7 +88,7 @@ class CreateCdnsTld extends ConfirmingCommand {
  @Override
  public String execute() throws IOException, GeneralSecurityException {
    Dns dnsService = createDnsService();
-    Dns.ManagedZones.Create request = dnsService.managedZones().create(projectId, requestBody);
+    Dns.ManagedZones.Create request = dnsService.managedZones().create(projectId, managedZone);
    ManagedZone response = request.execute();
    return String.format("Created managed zone: %s", response);
  }