Go to Content

DNSSEC

SCOPE

DNSSEC (Domain Name System Security Extensions) is the name given to security extensions to the DNS (Domain Name System) protocol conceived to protect and authenticate DNS traffic.


These extensions validate the data through digital signatures, making use of asymmetric cryptology technology to ensure the authenticity and integrity of information exchanged between DNS servers and between these and the user's applications.

The security mechanisms provided in DNSSEC are complementary and transparent for the user, and therefore do not interfere with the normal functioning of the DNS protocol.

The DNSSEC extensions aim to improve user trust in the services provided, namely:
  • Suppressing the DNS protocol's fragilities;
  • Preventing man-in-the middle and cache poisoning type attacks;
  • Reducing the risk of information manipulation;
  • Reinforcing the system's reliability.

Security threats and awareness of this have been a prime concern of the entities responsible for this matter and so specialists worldwide are concerned with searching for solutions that ensure a safer service and network environment.

Following international developments, monitored closely by the .pt, the conditions for adopting this security mechanism within the DNS community have been gradually created and there is already a considerable number of TLDs (Top Level Domains) that make this mechanism available (.se, .pr, .cz, .bg, .br, .museum, .gov, .org) to their users, .pt being among the first and many followed on, principally after the Root (or root server) was assigned in July 2010, which then enabled the DNSSEC chain of trust to be propagated throughout the entire DNS hierarchical structure, simplifying the entire process.

In order to gain full benefit from this service, it must be implemented by ISPs (Internet Service Providers) so that this service reaches the end client.

If you have any question about DNSSEC see the FAQ.

DNSSEC DEPLOYMENT 

If you have DNS knowledge and want to test the use of DNSSEC in a .pt domain, without affecting the operation of your current domains, you can request the free registration of a domain under the dnssec.pt hierarchy, by sending your details using the form below and requesting a domain name under dnssec.pt for testing proposes.

Contact form for information related only to DNSSEC:

If you have questions regarding the registration of domains under .pt, not DNSSEC related, you should use the form for this purpose, available at Contacts.

Please copy the characters from the image into the field below.

Captcha 13917554

TUTORIALS:

SCRIPTS:
• KIT DNSSEC: v0.9 
• Script @ ul.pt: editNsign
• Example files: example file zone / named.conf


RFCs:
• DNS
RFC 1034: Domain Names - Concepts and Facilities
RFC 1035: Domain Names - Implementation and Specification
RFC 1912: Common DNS Operational and Configuration Errors
RFC 2671: Extension Mechanisms for DNS (EDNS0)

• DNSSEC
RFC 4033: DNS Security Introduction and Requirements
RFC 4034: Resource Records for the DNS Security Extensions
RFC 4035: Protocol Modifications for the DNS Security Extensions
RFC 4470. Minimally Covering NSEC Records and DNSSEC On-line Signing
RFC 4641: DNSSEC Operational Practices
RFC 5155: DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
RFC 6014: Cryptographic Algorithm Identifier Allocation for DNSSEC

• DANE
The DNS-Based Authentication of Named Entities (DANE) / Transport Layer Security (TLS) Protocol: TLSA
Adding Acronyms to Simplify Conversations about DNS-Based Authentication of Named Entities (DANE)
The DNS-Based Authentication of Named Entities (DANE) Protocol: Updates and Operational Guidance