Preparations for DNSSEC deployment

[gtranslate]

Currently, our programmers are working intensively on the deployment of DNSSEC technology. We expect a test run in June, live operation from July.

More and more of our customers are asking about the availability of DNSSEC technology. It’s not so much that they really want it, but because there have been a lot of awareness campaigns around DNSSEC, so anyone who doesn’t have DNSSEC is not “in”.

In this article, we will outline our plan to deploy this technology, and in future articles we will also provide more information about the technology itself (what it is, what it is for, and how it works).

The first step is to support DNSSEC on our DNS servers. So we need to implement signing of zone files using DNSSEC keys, implement the registration of these keys and arrange their automatic renewal.

The second step is to make DNSSEC available for domains for which we are the registrar. So we need to allow customers to set a DNSSEC key for their domain. We will start first with .CZ domain, then we will gradually expand it with other domain extensions from our offer. Let’s see how fast we can make it work.

We expect to have everything we need done during May. In June, we will offer a trial run – those really interested will be able to activate DNSSEC, but there is no guarantee yet and things may still change and be modified as we gain experience with the operation. If all goes well, DNSSEC will be officially launched for all our customers from July.

DNSSEC with us

Of course, this technology can only be activated for domains for which we will be the registrar. There will be 3 options:

  1. The domain does not use DNSSEC
  2. The domain uses DNSSEC in combination with our DNS servers – in this case, the domain zone will be signed with our key and our public DNSSEC key will be established in the domain registry. The customer will not be able to set their own keys.
  3. The domain uses DNSSEC without our DNS servers – the customer will be able to set any DNSSEC key for the domain, but cannot use ours. However, it must take care of signing the DNS zone on its own DNS servers.

We have decided that for the time being we will not automatically activate DNSSEC for all domains registered with us, as other providers do. The interested party will have to activate DNSSEC in the customer administration. But it will be just a few clicks away, no complicated operations or detailed knowledge of the technology required.