Go to EDUCAUSE home page EDUCAUSE .edu Registration
.edu Home Page Request a New Domain Manage Your Domain / Hosts Whois Lookup .edu Policy .edu FAQ
logout of .edu administration Help Contact EDUCAUSE

DNSSEC for .edu

Contents
  1. What is DNSSEC?
  2. When will .edu be signed?
  3. How do I implement DNSSEC for my domain?
  4. I've signed my domain - how do I know it is validating?
  5. Once I sign my domain and publish my DS records with EDUCAUSE, will I be required to roll the keys annually?
  6. Do I have to implement DNSSEC for my domain?
  7. Will DNSSEC increase fees for .edu domain names?
Questions and Answers
1.What is DNSSEC?
 DNSSEC is a technique for improving internet security. The Domain Name System (DNS) is the part of the Internet that translates names such as "example.edu" into numeric addresses (for example, 198.59.61.90). All Internet applications--from electronic mail to online banking--depend on the accuracy and integrity of this translation. Over the years, Internet security experts have discovered a variety of ways that DNS translation may be compromised. The DNSSEC security system limits the problem by allowing owners of domain names to provide a digital signature that adds an extra level of authentication to the translation process. For a basic overview of DNSSEC and what it means for colleges and universities, read 7 Things You Should Know About DNSSEC
 
Read more at the EDUCAUSE DNSSEC Resource page and www.dnssec.net, and watch the EDUCAUSE Live webinar on DNSSEC for the .edu domain
 
Back to Top
2.When will .edu be signed?
 On August 2, 2010, EDUCAUSE and VeriSign announced the completion of a project to deploy DNSSEC within the .edu portion of the Internet. Institutions whose domain names end in .edu will now be able to utilize digital signatures to mitigate certain DNS security vulnerabilities, such as cache poisoning and man-in-the-middle attacks. The .edu namespace is signed, and .edu domain names can also be signed at this time.
Back to Top
3.How do I implement DNSSEC for my domain?
 The first step is ensuring your DNS software is DNSSEC-aware.  
 
Once you have implemented DNSSEC-aware DNS software, you can utilize the software's features to sign your zones. If you are using BIND, OpenDNSSEC, DNSSEC TOOLS, or ZKT, refer to VeriSign's Tool Guide Series on DNSSEC for step-by-step directions.  
 
After your domain is signed, log into the EDUCAUSE .edu Domain Administration website and enter your DS record data at the "View/Manage DNSSEC data" link. 
 
For more information, see the EDUCAUSE DNSSEC Resource Page.
Back to Top
4.I've signed my domain - how do I know it is validating?
 Executing the following dig command should return "ad" in the flags field:  
dig @68.87.68.170 +dnssec yourdomain.edu 
 
The following are browser-based validation tools: 
  • DNSViz, a tool for visualizing the DNSSEC status of a DNS zone.
  •  
  • DNSSEC Debugger, a DNSSEC debugging tool from VeriSign Labs.
  •  
  • DNSSEC Validator, a Firefox add-on.
  • Back to Top
    5.Once I sign my domain and publish my DS records with EDUCAUSE, will I be required to roll the keys annually?
     No. At launch, EDUCAUSE is not requiring key rollovers on any particular schedule.
    Back to Top
    6.Do I have to implement DNSSEC for my domain?
     No. At launch, DNSSEC will be optional for .edu domain holders.
    Back to Top
    7.Will DNSSEC increase fees for .edu domain names?
     No. There will be no extra charges for .edu domain names.
    Back to Top
    .edu Domain Home Page  •  EDUCAUSE Home Page