|1.||What is DNSSEC?|
| ||DNSSEC is a technique for improving internet security. The Domain Name System (DNS) is the part of the Internet that translates names such as "example.edu" into numeric addresses (for example, 188.8.131.52). All Internet applications--from electronic mail to online banking--depend on the accuracy and integrity of this translation. Over the years, Internet security experts have discovered a variety of ways that DNS translation may be compromised. The DNSSEC security system limits the problem by allowing owners of domain names to provide a digital signature that adds an extra level of authentication to the translation process. For a basic overview of DNSSEC and what it means for colleges and universities, read 7 Things You Should Know About DNSSEC. |
Read more at the EDUCAUSE DNSSEC Resource page and www.dnssec.net, and watch the EDUCAUSE Live webinar on DNSSEC for the .edu domain.
|2.||When will .edu be signed?|
| ||On August 2, 2010, EDUCAUSE and VeriSign announced the completion of a project to deploy DNSSEC within the .edu portion of the Internet. Institutions whose domain names end in .edu will now be able to utilize digital signatures to mitigate certain DNS security vulnerabilities, such as cache poisoning and man-in-the-middle attacks. The .edu namespace is signed, and .edu domain names can also be signed at this time.|
|3.||How do I implement DNSSEC for my domain?|
| ||The first step is ensuring your DNS software is DNSSEC-aware. |
Once you have implemented DNSSEC-aware DNS software, you can utilize the software's features to sign your zones. If you are using BIND, OpenDNSSEC, DNSSEC TOOLS, or ZKT, refer to VeriSign's Tool Guide Series on DNSSEC for step-by-step directions.
After your domain is signed, log into the EDUCAUSE .edu Domain Administration website and enter your DS record data at the "View/Manage DNSSEC data" link.
For more information, see the EDUCAUSE DNSSEC Resource Page.
|4.||I've signed my domain - how do I know it is validating?|
| ||Executing the following dig command should return "ad" in the flags field: |
dig @184.108.40.206 +dnssec yourdomain.edu
The following are browser-based validation tools:
DNSViz, a tool for visualizing the DNSSEC status of a DNS zone.
DNSSEC Debugger, a DNSSEC debugging tool from VeriSign Labs.
DNSSEC Validator, a Firefox add-on.
|5.||Once I sign my domain and publish my DS records with EDUCAUSE, will I be required to roll the keys annually?|
| ||No. At launch, EDUCAUSE is not requiring key rollovers on any particular schedule.|
|6.||Do I have to implement DNSSEC for my domain?|
| ||No. At launch, DNSSEC will be optional for .edu domain holders.|
|7.||Will DNSSEC increase fees for .edu domain names?|
| ||No. There will be no extra charges for .edu domain names.|