DNSSEC for .edu FAQ

DNSSEC is a technique for improving internet security. The Domain Name System (DNS) is the part of the Internet that translates names such as "example.edu" into numeric addresses (for example, All Internet applications--from electronic mail to online banking--depend on the accuracy and integrity of this translation. Over the years, Internet security experts have discovered a variety of ways that DNS translation may be compromised. The DNSSEC security system limits the problem by allowing owners of domain names to provide a digital signature that adds an extra level of authentication to the translation process.

On August 2, 2010, EDUCAUSE and VeriSign announced the completion of a project to deploy DNSSEC within the .edu portion of the Internet. Institutions whose domain names end in .edu will now be able to utilize digital signatures to mitigate certain DNS security vulnerabilities, such as cache poisoning and man-in-the-middle attacks. The .edu namespace is signed, and .edu domain names can also be signed at this time.

The first step is ensuring your DNS software is DNSSEC-aware.

Once you have implemented DNSSEC-aware DNS software, you can utilize the software's features to sign your zones. If you are using BIND, OpenDNSSEC, DNSSEC TOOLS, or ZKT, refer to VeriSign's Tool Guide Series on DNSSEC for step-by-step directions.

After your domain is signed, log into the EDUCAUSE .edu Domain Administration website and enter your DS record data at the "View/Manage DNSSEC data" link.

For more information, see the EDUCAUSE DNSSEC Resource Page.

Executing the following dig command should return "ad" in the flags field:

dig @.87.68.170 +dnssec yourdomain.edu

A variety of browser-based tools are also available online.

No. At launch, EDUCAUSE is not requiring key rollovers on any particular schedule.

No. At launch, DNSSEC will be optional for .edu domain holders.

No. There will be no extra charges for .edu domain names.