DNSSEC was implemented for Norwegian domain names in 2014. With the help of registrars, who quickly came on board, we soon had one of the highest shares of signed domain names in the world, and we have stayed on top ever since. Norid considers DNSSEC to be a key security component in the domain name system and believes that the technology should be standard for Norwegian domain names. In 2015, Difi defined DNSSEC as the recommended standard for public agencies (text in Norwegian only). We recommend that all registrars offer DNSSEC and actively contribute to its wider implementation.
We have decided to introduce DNSSEC as an infrastructure upgrade. A domain name holder should not have to be familiar with the technology or actively order it to get this security upgrade for their domain name.
Getting started with DNSSEC
DNSSEC technology is advanced, and there is very little room for error. Below are some tips on how to get started, regardless of whether you are a registrar or if you also are an internet service provider or offer other technical services.
How to become a DNSSEC enabled registrar
Registrars planning on offering DNSSEC must be registered with us. In practice, this means that the registrar contacts us, and we activate a DNSSEC enabled parameter on the registrar’s account on the registrar web. The registrar list will specify whether or not the registrar is DNSSEC enabled.
DPS document for .no
The DPS document (DNSSEC Policy and Practice Statement) describes how Norid protects and operates DNSSEC-secured zones. The format and content of this document was prepared in accordance with recommendations and standards provided by RFC6841. It describes preferred keys and algorithms, procedures for key rotation, infrastructure and how we have secured the chain of trust and key information. Preferred algorithms and other values are based on best practices and the DPS documents of .se, .nl and .at.
DPS document (PDF, ver. 1e2, dated 2022-02-01)
The email list firstname.lastname@example.org is an information channel from Norid on the operation of DNSSEC for .no, cf. Chapter 2.1 of the DPS document. It is primarily a stand by channel for when it is nessesary to notify registrars about incidences to do with DNSSEC. It will also be used to give notice of scheduled changes, such as rotation of KSK keys. Only Norid can send messages to this list.
Registrars handling DNSSEC will be added to the list automatically when they ask to become DNSSEC enabled. As a registrar, you can sign up any employee you believe could benefit from being on the list. You do this by sending an email to email@example.com and ask for the email addresses to be added.
Read more about DNSSEC
- DNSSEC Policy & Practice Statements (DPS) (ISOC)
- Where do I start? (ISOC, guide intended for registrars and internet service providers)
- Practical tips and solutions for managing DNSSEC signed domain names (Norid)
- Norwegian domain names more secure with DNSSEC (Norid)