You are here: Home / FAQ / DNSsec




alle show / hide

fold faqWhat is DNSSEC?

DNSSEC is a security extension for the Domain Name System that guarantees both authenticity and data integrity of DNS transactions. In other words, DNSSEC makes sure that you will access the domain you actually want to reach by preventing the malicious manipulation of DNS data.

fold faqWho benefits from DNSSEC?

•    The Internet community benefits from a better Internet security.
•    Registrars can offer new services to their customers.
•    Access providers provide unaltered domain queries to their customers.
•    Domain holders protect their domains from unauthorized DNS attacks.
•    Institutions with online payment (e.g. banks, web-shops etc.) or sensitive data transactions can protect their customers from misuse and gain confidence in the world-wide web.

fold faqHow do I recognize a domain with a DNSSEC signature?

Actually, the user doesn’t notice anything when surfing the Internet. Domains with a DNSSEC signature can be recognized through additional information in the Whois : a DNSSEC entry with key information that includes the key, key tag, algorithm type and hash type. Additionally, users can check on External Link  whether a domain has a DNSSEC signature or not. The entire chain of signatures from the root zone to the domain can be seen, including the visualization of any validation gaps.

fold faqHow can I get a DNSSEC signature for my domain?

Your first contact is your Internet service provider or registrar. At you can find out if the registrar offers DNSSEC. If you possess the required DNSSEC technology for your nameservers yourself, just specify the DS-record of your domain in the online application for  data modification. In addition, requires the proper  written document for DNSSEC modifications External Link, which must include the DNSSEC information as well as your signature. The form is generated automatically after completing the online application.

fold faqWhat do the terms key, key tag, algorithm and hash type mean?

These details must be specified in the online application when adding a DNSSEC signature, and they are also shown as special Whois entries.
key = hash of the used Key Signing Key
key tag = identification number of the Key Signing Key
algorithm = used algorithm of the referenced key
hash type = used hash algorithm

fold faqWhat happens with my DNSSEC domain if there is a change of the ISP / registrar?

If the gaining registrar/ISP supports DNSSEC, your domain remains signed. If he doesn’t support DNSSEC, the DS-records are automatically removed as soon as the domain is transferred to the new registrar/ISP. This means that your domain no longer has a DNSSEC signature. will inform you by e-mail if this is the case.

fold faqWhere do I get more information about DNSSEC?

Please find a DNSSEC summary as well as further links at Technical Information - DNSSEC.

fold faqWhere do I find the DNSSEC policy of

In a DNSSEC Policy & Practice Statement each registry defines how they handle DNSSEC issues, which safety measures are relevant for the key administration, how transactions are logged, and which algorithms and time limits are to be applied. The DNSSEC policy is available as a PDF-document here PDF Link.