NO / EN

Norid AS

Abels gt. 5, Teknobyen

Phone +47 73 55 73 55

DNSSEC (DNS Security Extensions) is a security mechanism that is added to the domain name system. With DNSSEC, responses to a domain look-up are signed, so that it is possible to verify that they are coming from the correct source and have not been changed along the way.

DNSSEC was implemented for Norwegian domain names in 2014. With the help of domain name providers, who quickly came on board, we soon had one of the highest shares of signed domain names in the world, and we have stayed on top ever since. Norid considers DNSSEC to be a key security component in the domain name system and believes that the technology should be standard for Norwegian domain names. In 2015, Difi defined DNSSEC as the recommended standard for public agencies (text in Norwegian only). We recommend that all providers offer DNSSEC and actively contribute to its wider implementation.

We have decided to introduce DNSSEC as an infrastructure upgrade. A domain name holder should not have to be familiar with the technology or actively order it to get this security upgrade for their domain name.

Getting started with DNSSEC

DNSSEC technology is advanced, and there is very little room for error. Below are some tips on how to get started, regardless of whether you are a domain provider or if you also are an internet service provider or offer other technical services.

How to become a DNSSEC enabled provider

Domain providers planning on offering DNSSEC must be registered with us. In practice, this means that the provider contacts us, and we activate a DNSSEC enabled parameter on the provider’s account on the provider web. The provider list will specify whether or not the provider is DNSSEC enabled.

DPS document for .no

The DPS document (DNSSEC Policy and Practice Statement) describes how Norid protects and operates DNSSEC-secured zones. The format and content of this document was prepared in accordance with recommendations and standards provided by RFC6841. It describes preferred keys and algorithms, procedures for key rotation, infrastructure and how we have secured the chain of trust and key information. Preferred algorithms and other values are based on best practices and the DPS documents of .se, .nl and .at.

DPS document (PDF, ver. 1e1, dated 2014-12-16)

Mailing list

The email list dnssec-announce@lists.norid.no is an information channel from Norid on the operation of DNSSEC for .no, cf. Chapter 2.1 of the DPS document. It is primarily a stand by channel for when it is nessesary to notify providers about incidences to do with DNSSEC. It will also be used to give notice of scheduled changes, such as rotation of KSK keys. Only Norid can send messages to this list.

Domain providers handling DNSSEC will be added to the list automatically when they ask to become DNSSEC enabled. As a provider, you can sign up any employee you believe could benefit from being on the list. The list is also open for anyone interested in information concerning the operation of DNSSEC for .no. You do not need to be a member of the list to access the message archive.

Read more about DNSSEC

Published: 16 December 2014
Updated: 21 August 2020