DNSSEC tips

Domains that are secured with DNSSEC can create additional challenges. Here you can find some practical tips that can help with the administration of such domains.



What is a ‘DNSSEC enabled‘ registrar?

Only registrars that are DNSSEC-enabled by Norid can handle DNSSEC data. DNSSEC is enabled when Norid activates the ‘DNSSEC enabled‘ parameter on the registrar’s account on the registrar web.

Registrars must contact Norid by email in order to be ‘DNSSEC enabled‘.

A holder must use a ‘DNSSEC enabled‘ registrar in order to secure a domain.

DNSSEC enabled‘ registrars are published in our list of registrars. The list can be filtered to show which registrars handle DNSSEC.

How can you check if a domain is secured?

All registrars can check if a domain is secure, regardless of whether the registrar is ‘DNSSEC enabled‘ or not. This can be done in several ways:

  • By looking up the domain in the whois database.

  • By doing an EPP-domain-info (you can use Norid’s EPP client if your own EPP software does not support DNSSEC data).

DNSSEC data is shown if the domain is secured.

DNSSEC data can also be looked up in DNS.

What should you think about in regard to registrar transfers

A registrar transfer is done by submitting an EPP-transfer-transaction.

If the domain should remain secured after a registrar transfer, all DNSSEC data must be transferred to the new registrar as a part of the transfer transaction. For this to happen, the new registrar must be ‘DNSSEC enabled‘.

If the new registrar is not ‘DNSSEC enabled‘, all DNSSEC data will be removed as a part of the transfer transaction, and the domain will not longer be secured. The registrar should be aware of this and check with the holder that it is acceptable that the domain no longer will be secured. If the holder wishes to keep the domain secured, he should be advised to find a ‘DNSSEC enabled‘ registrar instead.

What if my EPP software does not support DNSSEC data?

If a registrar uses his own EPP software, and this does not support DNSSEC, he should be especially aware. The registrar will most likely not be a ‘DNSSEC enabled‘ registrar if this is the case.

What you must be aware of, is that a domain can be secured even if your own EPP software does not show DNSSEC data. This means that you can be ‘fooled’ to believe that the domain has no DNSSEC data. This can be a problem in some situations, and especially in regard to registrar transfers as the DNSSEC data will be removed as a part of the transfer transaction.

THEREFORE: if you are in doubt, do a whois inquiry to check if the domain has any DNSSEC data, and warn the holder that the DNSSEC data will be removed if the domain is transferred to you as a registrar. If the holder wishes to keep the domain secured, he should be advised to find a ‘DNSSEC enabled‘ registrar instead.

There is an error at the name server supplier, and the DNSSEC security cannot be maintained. What should I do?

A problem has occurred at the actor responsible for maintaining DNSSEC data for a domain, and it is not possible for them to correct the error in their name server structure in time to avoid that the domain stops working (validating) in DNS. The actor is operating the name server, and can be the holder, registrar or an ISP.

An example of such a problem can be that the signing software has stopped working, which means that the signatures for the domain no longer are refreshed regularly. A DNSSEC signature has a lifetime before it expires. If the lifetime is exceeded, the validating resolver will consider the domain as invalid because it no longer validates, and thus reply that the domain does not exist. For the end user this entails that all services connected to the domain will stop working.

In such cases it is recommended to remove DNSSEC data for all affected domains before they stop working in DNS. It is usually more important that the services on the domain continue to work than that the domain is unsecured for a short period of time. What applies in each case must be assessed by the registrar, possibly in consultation with the holder.

In order to remove DNSSEC data, you must submit a EPP-domain-update transaction and remove all DS records from the domain

In order to quickly remove DNSSEC data, Norid’s EPP client has a bulk function where you can remove all DS records from a list of domains.

PLEASE NOTE: After the DNSSEC data have been removed, it will take a few hours before the change is published in all name servers. It is therefore important to submit the change in time.

When the actor has solved the problem, the domain can be secured again. This is done by submitting an EPP-domain-update and adding DS records for the domain.

Last updated 2015 or before