DEU | ENG
You are here: Home / Service & Support / Technical Information / DNSSEC

Service & Support

Printversion

DNSSEC - security for the .at zone

DNSSEC stands for Domain Name System Security Extensions. These security extensions for the DNS guarantee both authenticity and data integrity of  DNS transactions. In other words, by using DNSSEC you can be sure that you will access the domain you actually want to reach. DNSSEC ensures that your domain queries will be responded by the relevant server without being manipulated during the process. DNSSEC prevents the so-called ‘cache poisoning’, which means forging DNS data and redirecting the user to manipulated websites.

How does DNSSEC work?

DNSSEC is based on the signing of DNS entries with cryptographic keys. For each zone, i.e. from the root zone to the top level domain to the domain, there are special key pairs. Each key pair consists of a public and a private key, whereas the zone is signed with the secret private key, and the public key is published in the zone itself for verification. In a chain of trust the higher-level zone validates the zone below: the root zone validates the public key of .at, and the .at-zone validates the public key of a .at-domain. The public key of the root zone is configured in the recursive nameservers, which guarantees the validation of the chain of trust. Therefore, a comprehensive signing on all levels is essential. This is provided by ICANN (for the root zone) and nic.at (for .at), but full security is only guaranteed if the registrar signs all domains administrated by him. This is the only way to completely validate DNS information.

Who benefits from DNSSEC?

•    The Internet community benefits from a better Internet security.
•    Registrars can offer new services to their customers.
•    Access providers provide unaltered domain queries to their customers.
•    Domain holders protect their domains from unauthorized DNS attacks.
•    Institutions with online payment (e.g. banks, web-shops etc.) or sensitive data transactions can protect their customers from misuse and gain confidence in the world-wide web. 

DNSSEC for .at

For .at-domains DNSSEC was made available to the public on 29/02/2012. In a preceding testing phase, registrars have had the opportunity to test the system and gain experience. At the same time, nic.at was performing comprehensive tests and taking security precautions to get ready for the implementation, as other registries have repeatedly experienced problems during the launch of DNSSEC.
If you want to know how to get a DNSSEC-signature for your .at-domain, please go to the special FAQ on  DNSSEC. DNSsec

If you want to know more about DNSSEC

we can recommend the following websites:

DNSSEC-Tools  http://dnssec-tools.org External Link    
DNS-School:  http://www.dns-school.org External Link 
DNSSEC.net:  http://www.dnssec.net/practical-documents External Link 
Internet Systems Consortium, Inc. (ISC):  http://www.isc.org/software/bind/dnssec External Link  
DNSSEC Industry Coalition  http://dnsseccoalition.org External Link 

 

 

Related FAQ

fold faq
What are the technical reasons for the rejection of a domain application?

There are various reasons why an application may be rejected: errors in the application itself (incomplete field descriptions, missing mandatory fields, invalid version etc.), invalid domain names, wrong entry formats, invalid characters. The most frequent source of error is an incorrect nameserver configuration. Please click here for more information about the application check and nameserver configuration.

fold faq
How often are the nic.at nameservers reloaded?

6 times a day: at 6am, 10am, 1pm, 4pm, 7pm and 10pm (CET).

fold faq
What does IDN mean?

IDN is for "Internationalized Domain Name", which is a standard that enables the use of other characters in addition to the currently allowed ASCII-characters (the 26 Latin letters, the ten numbers 0 – 9 and the hyphen) for domain names. The respective registry decides which additional characters are allowed with the implementation of IDN.