/ domain-security

Search in FAQ

Domain security  Open all

Security Lock is additional protection for your .at-domain. If the service is activated, any amendments to the domain must be explicitly authorised. This means that third parties - such as your provider/registrar - can still request changes, but these will only be implemented following your confirmation after you receive a link by e-mail. Invoices will be sent annually to the invoice recipient, who will be notified at the time of application.

The Security Lock service costs EUR 250.00 (excl. VAT) per year and .at domain. If the annual fee is not paid on time, the Security Lock will be deactivated automatically. Invoices will be sent annually to the invoice recipient specified at the time of application. If someone other than the domain holder is the invoice recipient, the invoice recipient indicated must pay the invoice. Just like for the domain fee, the domain holder is ultimately responsible for ensuring that the Security Lock is paid.

We particularly recommend Security Lock to domain holders whose business activities are based on unlimited accessibility on the web. The same applies to companies for whom problems with the domain could mean a loss of reputation or uncertainty for customers. With Security Lock you make your domain even more secure. 

To set up the Security Lock service, you have to log in to your "customer login area" and there you can select the desired .at domains and activate Security Lock.

Security Lock will be activated and billable immediately, and is valid for an indefinite time.

Find out more about this in the "contractual provisions for the Security Lock service".

If you wish to amend a Security Lock domain, send a request to the Security Lock e-mail address and you will receive a link by e-mail. By clicking on the link, you will be forwarded directly to the nic.at website where you can view, confirm and reject the amendment. If the domain is in the administration of your registrar / provider, contact them to cancel your domain.

The Security Lock will be deactivated automatically by cancellation of the domain or change of domain holder. Of course it is also possible to cancel just the Security Lock, you can do this directly via your "customer login area" this has no repercussions for the functionality of your domain. If you fail to pay the annual fee on time, the Security Lock will also be deactivated automatically.

Log into the nic.at website using your access data at the "customer login area".  Choose the .at domain for which you want to change the e-mail address for Security Lock. Now click on "change" in the field of your selected domain and you will be redirected to the page "Change Security Lock". Here you will see your domain and the current confirmation e-mail address. Then enter the new e-mail address twice and click on submit. You will then receive an e-mail from us at the current confirmation e-mail address which you will need to use to confirm the change of e-mail address. As soon as you send this confirmation, the change of e-mail address for your selected Security Lock domain will be processed.

If the domain is in the administration of your registrar / provider, contact them to change your Security Lock e-mail address.

DNSSec (Domain Name Security Extensions) is a security extension for the Domain Name System and guarantees the authenticity and data integrity of DNS responses. Simply put: DNSSec ensures that you reach the domain in the Internet that you are aiming to reach and prevents the malicious corruption of DNS data (from entry of the domain to display of the website).

For questions relating to DNSSec offers, please contact your Internet service provider. You can also search specifically for a .at partner who offers DNSSec. Use our .at-Partnerfinder for this purpose.

If you possess the necessary DNSSec technology for your name servers yourself and if your domain is administrated at nic.at, you can carry out these settings (DS record) directly in the login area

Actually, the user doesn’t notice anything when surfing the Internet. Domains with a DNSSEC signature can be recognized through additional information in the Whois: a DNSSEC entry with key information that includes the key, key tag, algorithm type and hash type. Additionally, users can check on www.dnsviz.net whether a domain has a DNSSEC signature or not. The entire chain of signatures from the root zone to the domain can be seen, including the visualization of any validation gaps.

Your first contact is your Internet service provider or registrar. At www.at-partner.at you can find out if the registrar offers DNSSEC. If you possess the required DNSSEC technology for your nameservers yourself, just specify the DS-record of your domain in the login area.

These details must be specified in the online application when adding a DNSSEC signature, and they are also shown as special Whois entries.
key = hash of the used Key Signing Key
key tag = identification number of the Key Signing Key
algorithm = used algorithm of the referenced key
hash type = used hash algorithm

If the gaining registrar/ISP supports DNSSEC, your domain remains signed. If he doesn’t support DNSSEC, the DS-records are automatically removed as soon as the domain is transferred to the new registrar/ISP. This means that your domain no longer has a DNSSEC signature. nic.at will inform you by e-mail if this is the case.

In a DNSSEC Policy & Practice Statement each registry defines how they handle DNSSEC issues, which safety measures are relevant for the key administration, how transactions are logged, and which algorithms and time limits are to be applied. The nic.at DNSSEC policy is available as a PDF-document here.

We ask our customers to support us in continuously improving the security of our website and systems. If you have identified a possible vulnerability or something suspicious, please contact our ISM team immediately via e-mail.


If you could not find an answer to your question, please feel free to contact our customer service department : +43 662 46 69 -850.