Turn on DNSSEC for new Cloud DNS TLDs

we set the "denial of existence" to NSEC (rather than NSEC3), because preventing "walking the zone" isn't an issue for TLDs. It uses the default security configuration for everything else, which at the time of this writing is: Key signing: RSASHA256, key length of 2048 Zone signing: RSASHA256, key length of 1024 ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=179045575
2026-04-20 16:20:50 +00:00 · 2017-12-14 08:06:13 -08:00
parent 0d3ec66259
commit d5d29959b4
2 changed files with 25 additions and 15 deletions
--- a/java/google/registry/tools/CreateCdnsTld.java
+++ b/java/google/registry/tools/CreateCdnsTld.java
@@ -23,6 +23,7 @@ import com.google.api.client.json.JsonFactory;
 import com.google.api.client.json.jackson2.JacksonFactory;
 import com.google.api.services.dns.Dns;
 import com.google.api.services.dns.model.ManagedZone;
+import com.google.api.services.dns.model.ManagedZoneDnsSecConfig;
 import com.google.common.annotations.VisibleForTesting;
 import google.registry.config.RegistryConfig.Config;
 import java.io.IOException;
@@ -58,16 +59,18 @@ class CreateCdnsTld extends ConfirmingCommand {

  private static final String KEY_VALUE_FORMAT = "  %s = %s";

-  private ManagedZone requestBody;
+  private ManagedZone managedZone;

  @Override
  protected void init() throws IOException, GeneralSecurityException {
-    requestBody = new ManagedZone();
-    requestBody.setDescription(description);
-    // TODO(b/67413698): allow parameterizing the nameserver set once it's safe to do so.
-    requestBody.setNameServerSet("cloud-dns-registry-test");
-    requestBody.setDnsName(dnsName);
-    requestBody.setName((name != null) ? name : dnsName);
+    managedZone =
+        new ManagedZone()
+            .setDescription(description)
+            // TODO(b/67413698): allow parameterizing the nameserver set once it's safe to do so.
+            .setNameServerSet("cloud-dns-registry-test")
+            .setDnsName(dnsName)
+            .setName((name != null) ? name : dnsName)
+            .setDnssecConfig(new ManagedZoneDnsSecConfig().setNonExistence("NSEC").setState("ON"));
  }

  @Override
@@ -75,7 +78,7 @@ class CreateCdnsTld extends ConfirmingCommand {
    return String.format(
        "Creating TLD with:\n%s\n%s",
        String.format(KEY_VALUE_FORMAT, "projectId", projectId),
-        requestBody
+        managedZone
            .entrySet()
            .stream()
            .map(entry -> String.format(KEY_VALUE_FORMAT, entry.getKey(), entry.getValue()))
@@ -85,7 +88,7 @@ class CreateCdnsTld extends ConfirmingCommand {
  @Override
  public String execute() throws IOException, GeneralSecurityException {
    Dns dnsService = createDnsService();
-    Dns.ManagedZones.Create request = dnsService.managedZones().create(projectId, requestBody);
+    Dns.ManagedZones.Create request = dnsService.managedZones().create(projectId, managedZone);
    ManagedZone response = request.execute();
    return String.format("Created managed zone: %s", response);
  }
--- a/javatests/google/registry/tools/CreateCdnsTldTest.java
+++ b/javatests/google/registry/tools/CreateCdnsTldTest.java
@@ -20,6 +20,7 @@ import static org.mockito.Mockito.when;

 import com.google.api.services.dns.Dns;
 import com.google.api.services.dns.model.ManagedZone;
+import com.google.api.services.dns.model.ManagedZoneDnsSecConfig;
 import java.io.IOException;
 import java.security.GeneralSecurityException;
 import org.junit.Before;
@@ -55,23 +56,29 @@ public class CreateCdnsTldTest extends CommandTestCase<CreateCdnsTld> {
    }
  }

+  private ManagedZone createZone(
+      String nameServerSet, String description, String dnsName, String name) {
+    return new ManagedZone()
+        .setNameServerSet(nameServerSet)
+        .setDnsName(dnsName)
+        .setDescription(description)
+        .setName(name)
+        .setDnssecConfig(new ManagedZoneDnsSecConfig().setState("ON").setNonExistence("NSEC"));
+  }
+
  @Test
  public void testBasicFunctionality() throws Exception {
    runCommand("--dns_name=tld.", "--name=tld", "--description=test run", "--force");
    verify(request).execute();
    assertThat(projectId.getValue()).isEqualTo("test-project");
    ManagedZone zone = requestBody.getValue();
-    assertThat(zone.getNameServerSet()).isEqualTo("cloud-dns-registry-test");
-    assertThat(zone.getDnsName()).isEqualTo("tld.");
-    assertThat(zone.getName()).isEqualTo("tld");
+    assertThat(zone).isEqualTo(createZone("cloud-dns-registry-test", "test run", "tld.", "tld"));
  }

  @Test
  public void testNameDefault() throws Exception {
    runCommand("--dns_name=tld.", "--description=test run", "--force");
    ManagedZone zone = requestBody.getValue();
-    assertThat(zone.getNameServerSet()).isEqualTo("cloud-dns-registry-test");
-    assertThat(zone.getDnsName()).isEqualTo("tld.");
-    assertThat(zone.getName()).isEqualTo("tld.");
+    assertThat(zone).isEqualTo(createZone("cloud-dns-registry-test", "test run", "tld.", "tld."));
  }
 }