Service & Support
DNSSEC - security for the .at zone
DNSSEC stands for Domain Name System Security Extensions. These security extensions for the DNS guarantee both authenticity and data integrity oftransactions. In other words, by using DNSSEC you can be sure that you will access the domain you actually want to reach. DNSSEC ensures that your domain queries will be responded by the relevant server without being manipulated during the process. DNSSEC prevents the so-called ‘cache poisoning’, which means forging DNS data and redirecting the user to manipulated websites.
How does DNSSEC work?
DNSSEC is based on the signing of DNS entries with cryptographic keys. For each zone, i.e. from the root zone to the top level domain to the domain, there are special key pairs. Each key pair consists of a public and a private key, whereas the zone is signed with the secret private key, and the public key is published in the zone itself for verification. In a chain of trust the higher-level zone validates the zone below: the root zone validates the public key of .at, and the .at-zone validates the public key of a .at-domain. The public key of the root zone is configured in the recursive nameservers, which guarantees the validation of the chain of trust. Therefore, a comprehensive signing on all levels is essential. This is provided by ICANN (for the root zone) and nic.at (for .at), but full security is only guaranteed if the registrar signs all domains administrated by him. This is the only way to completely validate DNS information.
Who benefits from DNSSEC?
• The Internet community benefits from a better Internet security.
• Registrars can offer new services to their customers.
• Access providers provide unaltered domain queries to their customers.
• Domain holders protect their domains from unauthorized DNS attacks.
• Institutions with online payment (e.g. banks, web-shops etc.) or sensitive data transactions can protect their customers from misuse and gain confidence in the world-wide web.
DNSSEC for .at
For .at-domains DNSSEC was made available to the public on 29/02/2012. In a preceding testing phase, registrars have had the opportunity to test the system and gain experience. At the same time, nic.at was performing comprehensive tests and taking security precautions to get ready for the implementation, as other registries have repeatedly experienced problems during the launch of DNSSEC.
If you want to know how to get a DNSSEC-signature for your .at-domain, please go to the special FAQ on .
If you want to know more about DNSSEC
we can recommend the following websites:
Internet Systems Consortium, Inc. (ISC):
DNSSEC Industry Coalition
- What are the technical reasons for the rejection of a domain application?
There are various reasons why an application may be rejected: errors in the application itself (incomplete field descriptions, missing mandatory fields, invalid version etc.), invalid domain names, wrong entry formats, invalid characters. The most frequent source of error is an incorrect nameserver configuration. Please clickfor more information about the application check and nameserver configuration.
- How often are the nic.at nameservers reloaded?
6 times a day: at 6am, 10am, 1pm, 4pm, 7pm and 10pm (CET).
- What does IDN mean?
IDN is for "Internationalized Domain Name", which is a standard that enables the use of other characters in addition to the currently allowed ASCII-characters (the 26 Latin letters, the ten numbers 0 – 9 and the hyphen) for domain names. The respective registry decides which additional characters are allowed with the implementation of IDN.