NO / EN

Norid AS

Abels gt. 5, Teknobyen

Phone +47 73 55 73 55

DNSSEC (DNS Security Extensions) is a security mechanism that is added to the domain name system. With DNSSEC, responses to a domain look-up are signed, so that it is possible to verify that they are coming from the correct source and have not been changed along the way.

DNSSEC was implemented for Norwegian domain names in 2014. With the help of registrars, who quickly came on board, we soon had one of the highest shares of signed domain names in the world, and we have stayed on top ever since. Norid considers DNSSEC to be a key security component in the domain name system and believes that the technology should be standard for Norwegian domain names. In 2015, Difi defined DNSSEC as the recommended standard for public agencies (text in Norwegian only). We recommend that all registrars offer DNSSEC and actively contribute to its wider implementation.

We have decided to introduce DNSSEC as an infrastructure upgrade. A domain name holder should not have to be familiar with the technology or actively order it to get this security upgrade for their domain name.

Getting started with DNSSEC

DNSSEC technology is advanced, and there is very little room for error. Below are some tips on how to get started, regardless of whether you are a registrar or if you also are an internet service provider or offer other technical services.

How to become a DNSSEC enabled registrar

Registrars planning on offering DNSSEC must be registered with us. In practice, this means that the registrar contacts us, and we activate a DNSSEC enabled parameter on the registrar’s account on the registrar web. The registrar list will specify whether or not the registrar is DNSSEC enabled.

DPS document for .no

The DPS document (DNSSEC Policy and Practice Statement) describes how Norid protects and operates DNSSEC-secured zones. The format and content of this document was prepared in accordance with recommendations and standards provided by RFC6841. It describes preferred keys and algorithms, procedures for key rotation, infrastructure and how we have secured the chain of trust and key information. Preferred algorithms and other values are based on best practices and the DPS documents of .se, .nl and .at.

DPS document (PDF, ver. 1e1, dated 2014-12-16)

Mailing list

The email list dnssec-announce@lists.norid.no is an information channel from Norid on the operation of DNSSEC for .no, cf. Chapter 2.1 of the DPS document. It is primarily a stand by channel for when it is nessesary to notify registrars about incidences to do with DNSSEC. It will also be used to give notice of scheduled changes, such as rotation of KSK keys. Only Norid can send messages to this list.

Registrars handling DNSSEC will be added to the list automatically when they ask to become DNSSEC enabled. As a registrar, you can sign up any employee you believe could benefit from being on the list. The list is also open for anyone interested in information concerning the operation of DNSSEC for .no. You do not need to be a member of the list to access the message archive.

Read more about DNSSEC

Published: 16 December 2014
Updated: 29 April 2021