DNSSEC in test operation


We offer DNSSEC technology for our registered CZ domains from today. We expect a hard launch at the end of July, but orthodox DNSSEC fans can activate it now.

Since 15.6.2011 it is possible to activate DNSSEC technology for CZ domains for which we are the registrar.

DNSSEC is a technology that uses electronic signatures to verify the origin of data in DNS records. It prevents an attacker from being able to spoof DNS records and thus, for example, make you a fake. direct you to fraudulent WWW sites. More information e.g. on Wikipedia. We will try to write more about this technology in general soon.

We offer DNSSEC in test mode. This means that we do not recommend activating it for important domains. Although we have tested everything thoroughly, we still do not guarantee full functionality and some changes and modifications may occur. During this period, we will perform several trial key exchanges (ZSK and KSK) to verify that everything will work correctly and no problems will occur.

We expect DNSSEC to be deployed in the second half of July.

For the time being, we offer DNSSEC only for CZ domains and only for those for which we are the registrar. Later we will offer DNSSEC also for EU and gTLD domains (August at the earliest).

The use of DNSSEC and any changes to its settings are and will be completely free of charge.


We offer 3 DNSSEC configuration options:

  1. Do not use DNSSEC – the default option, the domain is not protected by DNSSEC.
  2. Use DNSSEC WEDOS – can only be used for domains that use our DNS servers. In this case, DNSSEC is activated, DNS records are signed with our keys and our KEYSET is set for the domain. We also take care of the relevant key changes. The customer doesn’t have to worry about anything.
  3. Use custom KEYSET – can only be used for domains that do NOT use our DNS servers. Here, the customer can set any KEYSET for the domain, but he must take care of signing DNS records on the DNS servers himself.

Our customers can now activate DNSSEC for their CZ domains in the customer administration. For more information, see Configuring DNSSEC on a domain.

Whether we will activate DNSSEC automatically for all our customers’ domains in the future has not yet been decided. However, we are more inclined not to do that.

Of course, we welcome all your comments and insights.

DNSSEC in action

To check that DNSSEC is set up and working properly for a domain, we recommend the following tools:

  • DNSSEC Validator – a plugin for Firefox browser, developed by Czech organization CZ.NIC
  • DNS visualization tool – a tool for analysis and graphical representation of DNS records and DNSSEC keys and their status

You can see and check it e.g. on our test domain nasweb.cz.