Domain name policy for .no

Appendix F: Technical name server requirements

This document describes technical requirements for DNS registration, in other words, the requirements that must be fulfilled by domains registered by Norid. It is assumed that the registrar has the necessary technical competence to understand these requirements.

Norid will check domains against these requirements at the time of registration and afterwards at regular intervals. Failure to comply with these requirements may result in rejection of the application or deletion of the domain.

The following requirements apply to domains to be registered by Norid:

  1. At least two separate name servers
    Every domain must be served by at least two separate name servers, which run on physically separate machines.

  2. Consistency between data in the domain name application and response from name servers
    The response from the name servers specified for a domain must include the same name servers as those specified in the application. Note that both the names and the number of name servers must be the same.

  3. Authoritative name servers
    All the name servers specified for a domain must respond authoritatively for the domain.

  4. Accessible name servers
    Name servers must be permanently connected to the Internet, and must have a permanently assigned (fixed) IPv4 address. The name servers may also have an IPv6 address, and this too must be permanently assigned as required for the IPv4 address. The name servers must be connected to a stable and reliable infrastructure.

  5. Correct email information in the SOA (Start Of Authority) record
    The SOA record for a domain must include a functioning email address for the administrator responsible for the operation of the name server.

  6. Consistent serial number in the SOA record
    The serial number in the SOA record must be the same for all the specified name servers.

  7. Canonical name on the right-hand side in NS and MX records
    On the right-hand side in an NS record the canonical name must always be used, and not an alias (CNAME).

  8. No IDN domain names in the host address
    Host addresses that includes national characters (IDN-names) or their corresponding ACE version may not be registered in Norid’s database.

  9. DNSSEC
    Securing a domain name with DNSSEC is voluntary. For DNSSEC-secured domains, the following applies:

    • The DS records registered with Norid must refer to one or more DNSKEY records in the delegated zone.
    • At least one of the signatures over the DNSKEY records must be generated using an algorithm that is supported by Norid.

    Norid must be able to validate the correctness of the SOA and NS-records in the zone, using at least one of the DS-/DNSKEY-pairs.

Last updated 2015 or before