How to check if a domain name is secured
All registrars can check whether a domain name is secured, regardless of whether or not they are DNSSEC enabled. There are several ways to do this:
- Look up the domain name in the registrar-whois or public lookup service
- Using the EPP command domain-info
- DNS lookup
DNSSEC data should be present if the domain name is secured.
If the domain name is secured with DNSSEC and is being transferred to another registrar, you must make sure that the new registrar is able to handle the DNSSEC, see the registrar list. If the new registrar cannot handle DNSSEC, you must remove all DNSSEC data in connection with the transfer, so that the domain name is no longer secured.
Use the EPP operation delegation-transfer to change registrars. If the new registrar is not DNSSEC enabled, all DNSSEC data will be removed in connection with the transfer operation. The domain name will no longer be secured.
The domain name holder must be aware of this, so that the domain name is not de-secured accidentally and without the holder's knowledge. If the holder wants to keep the domain name secured, you should recommend they find a registrar that is DNSSEC enabled.
If the EPP software does not support DNSSEC
It is unlikely that a registrar is DNSSEC enabled if their EPP software does not support DNSSEC. However, a domain name can be secured even if your EPP software does not show DNSSEC data. In other words, you may be tricked into thinking there is no DNSSEC data for the domain name. This could be problematic in some cases, and especially when changing registrars, as all DNSSEC data will be removed in connection with the transfer operation.
When in doubt, you should perform a whois lookup to check for DNSSEC data on the domain name, so that you can warn the domain name holder that the domain name will no longer be secured with you as the registrar. If the holder wants to keep the domain name secured, you should recommend that they find another registrar. At the same time, you should also consider upgrading your services to include DNSSEC.
Name server provider error
Problems may arise with the party responsible for maintaining DNSSEC data for a domain name, which this party could be unable to correct in their name server structure before the domain name stops working (validating) in DNS. This party is the party running the name server itself, and may be the domain name holder, the registrar or an internet service provider.
Such problems may arise, for example, when signature software stops running, which means the signatures for the domain name no longer refresh regularly. A DNSSEC signature has a certain lifetime before it becomes invalid. If the lifetime expires, a validating resolver will consider the domain name invalid, because it will no longer validate and will therefore respond that the domain name no longer exists. The consequence for the holder is that the services running on the domain name will stop working.
In these cases, we recommend de-securing all affected domain names before they stop working in DNS. Domain names are de-secured by performing a domain-update in EPP and removing all DS records from the domain name. (To help you de-secure quickly, Norid’s EPP client has a special bulk function, where you can remove all DS records from a list of domain names.)
The reason we recommend de-securing is that the interest of keeping the services on the domain name operational normally outweighs the risk of having the domain name un-secured for a short time. The registrar should consider the specific circumstances of each case, perhaps in consultation with the holder.
PLEASE NOTE: After the domain name has been de-secured in the EPP interface, it will take a few hours before the change has been published to all name servers. It is therefore very important to do this early enough.
When the person running the name server has solved the problem, the domain name can be re-secured. Secure the domain name with the EPP operation domain-update and by adding DS records to the domain name.