Guidelines for deployment of DNSSEC

What need to be done to get started with DNSSEC depends very much on what role you have and what kind of services you want to secure.

I have a .no domain and want to secure it

If you subscribe to a .no domain, and want to secure it with DNSSEC, there are two variants.

  1. The name service for the domain is also supplied by the registrar:

    A subscriber should only need to contact his registrar and ask for DNSSEC to be activated for a domain. The registrar should then perform all the practical steps.

  2. The name service for the domain is delivered by your own organization or some other name service provider (ISP):

    You must first ensure that the domain is signed, and that the signed zone file has been completely published in DNS.

    You must then extract the DS record for the KSK key and register it on the domain in Norid’s database. This change must be done via the registrar.

If it turns out that your registrar does not support DNSSEC, you can transfer the domain to another registrar that does. You can see which registrars that support DNSSEC in Norid’s registrar list.

I deliver some other service

Actors that deliver other services, like ISPs, registrars or others, have to perform other actions, which might imply more work, to get the service DNSSEC enabled.

ISOC has made a number of nice ‘Where do I start’ guidelines which describe what different actors will need to think about.

Last updated 2015 or before