Improved Delegation Management
ARIN is working on core changes to its systems in order to support per-delegation management of nameservers and provision secure delegations through Domain Name System Security Extensions (DNSSEC). In the future, these changes will also be used to improve reporting of lame delegations.
A network can comprise multiple delegations, but ARIN’s current system only allows you to specify and manage nameservers at the network level. When you provide nameservers on a network template request, those nameservers are delegated to all delegations within that network in accordance with ARIN’s Reverse DNS management guidelines.
When the transition to support DNSSEC occurs, ARIN will no longer support nameserver changes via templates. All delegations will need to be managed through ARIN Online. This will make for a more interactive, automated and user-friendly experience and provide a faster feedback loop. This will allow you to manage each delegation individually, or make changes to multiple delegations in one transaction. ARIN will no longer accept changes via template because the templates follow the per-network model for nameservers, which could result in unintentional overwrites to per-delegation nameserver changes made using the new online system. Because DNS is a critical part of delegations that you need to manage, we want to ensure that the changes you make are applied in the way you intended.
ARIN will continue to accept templates that include nameserver fields, however, the contents of the nameserver fields will be ignored.
ARIN's new system will enable you to individually manage each reverse delegation within both IPv4 and IPv6 networks. Delegations can be managed in IPv4 on byte boundaries (/8, /16 or /24’s). For IPv6 networks, they will be on nibble boundaries. For example in IPv4, you could have a /23 network registered with ARIN that is comprised of two /24 delegations. In this case, you will now be able to delegate one set of nameservers to the first delegation and another set of nameservers to the second delegation. You will also be able to manage Delegation Signer (DS) resource records for each delegation. Find out more about ARIN’s DNSSEC Deployment Plan.
A Preview of the ARIN Online Delegation Management Service
Below are the steps you will use to manage your delegations using ARIN Online. Please note that your ARIN Online account must be linked to a POC authorized to manage the network in order to view and manage delegation information. Note that the screen shots below are from code that is in development. Minor text changes may occur before this enhancement is released into production.
Log into your ARIN Online account. Go to ”Manage Resources” in the left navigation. Select your POC or Organization, and then the Network for which you want to manage delegations. Select the “manage reverse DNS” action. You will see a list of delegations for the network. You can select one or more delegations to manage. Please note that any changes you make to nameservers or DS Records will be applied to all selected delegations. After you have selected your delegation(s), you have two options: “Modify Nameservers” and “Modify DS Records”.
If you choose to “Modify Nameservers”, you can delete, or modify the nameservers listed on the page or add new ones.
Note: If the nameservers for the selected delegations differ, they will not be displayed. A warning message will be displayed if the nameservers do not match. You can click one of the selected delegations if you would like to apply its nameservers to all of the selected delegations.
Please note that any changes you make to nameservers will be applied to all selected delegations.
When you have entered all your changes you must click “Apply to All”. You will be taken to a confirmation page where you can view your changes.
The second option available is to manage DS records.
Tip: You cannot add DS Records to a delegation if it does not have any nameservers.
When you select “Modify DS Records”, you can add or delete DS records. You will be presented with an interface that will allow you to upload DS records or paste them from another window.
The DS records should be in the following format:
|Zone||Class||RR type||Key tag||Algorithm||Digest type||Digest|
|Optional, ignored||Optional, "IN"||Must be "DS"||2 byte integer||1 byte integer
(5,7, or 8)
|1 byte integer
(1 or 2)
|The hex encoded digest|
Note: Similar to nameservers, if the DS Records for the selected delegations differ, they will not be displayed. A warning message will be displayed. You can click one of the selected delegations if you would like to apply its DS Records to all of the selected delegations.
Please note that any changes you make to DS Records will be applied to all selected delegations.
After you have added your DS records, click “Parse DS Record”. The result will look like this:
Click on “Apply to All”. You will be taken to a confirmation page where you can view your changes. The selected delegations will then be secured via DNSSEC within the next 12 hours.
Now when you view the delegations page, you can see the DS Key tag is listed.
The delegation below shows the new set of nameservers as well as the DS record key tag that indicates that the delegation is now signed with changes being reflected in the next zone update cycle: