- What is DNSSEC?
DNSSEC is a security extension for the Domain Name System that guarantees both authenticity and data integrity of DNS transactions. In other words, DNSSEC makes sure that you will access the domain you actually want to reach by preventing the malicious manipulation of DNS data.
- Who benefits from DNSSEC?
• The Internet community benefits from a better Internet security.
• Registrars can offer new services to their customers.
• Access providers provide unaltered domain queries to their customers.
• Domain holders protect their domains from unauthorized DNS attacks.
• Institutions with online payment (e.g. banks, web-shops etc.) or sensitive data transactions can protect their customers from misuse and gain confidence in the world-wide web.
- How do I recognize a domain with a DNSSEC signature?
Actually, the user doesn’t notice anything when surfing the Internet. Domains with a DNSSEC signature can be recognized through additional information in the: a DNSSEC entry with key information that includes the key, key tag, algorithm type and hash type. Additionally, users can check on whether a domain has a DNSSEC signature or not. The entire chain of signatures from the root zone to the domain can be seen, including the visualization of any validation gaps.
- How can I get a DNSSEC signature for my domain?
Your first contact is your Internet service provider or registrar. At www.at-partner.at you can find out if the registrar offers DNSSEC. If you possess the required DNSSEC technology for your nameservers yourself, just specify the DS-record of your domain in the online application for. In addition, nic.at requires the proper , which must include the DNSSEC information as well as your signature. The form is generated automatically after completing the online application.
- What do the terms key, key tag, algorithm and hash type mean?
These details must be specified in the online application when adding a DNSSEC signature, and they are also shown as special Whois entries.
key = hash of the used Key Signing Key
key tag = identification number of the Key Signing Key
algorithm = used algorithm of the referenced key
hash type = used hash algorithm
- What happens with my DNSSEC domain if there is a change of the ISP / registrar?
If the gaining registrar/ISP supports DNSSEC, your domain remains signed. If he doesn’t support DNSSEC, the DS-records are automatically removed as soon as the domain is transferred to the new registrar/ISP. This means that your domain no longer has a DNSSEC signature. nic.at will inform you by e-mail if this is the case.
- Where do I get more information about DNSSEC?
Please find a DNSSEC summary as well as further links at Technical Information -.
- Where do I find the DNSSEC policy of nic.at?
In a DNSSEC Policy & Practice Statement each registry defines how they handle DNSSEC issues, which safety measures are relevant for the key administration, how transactions are logged, and which algorithms and time limits are to be applied. The nic.at DNSSEC policy is available as a.