DNS Security Extensions - DNSSEC

DNSSEC (Domain Name System Security Extensions) is a service for improving the information security of name services that can be enabled also for fi-domain names.

The domain name system gives each domain name an individual IP address (e.g. 87.239.124.120). DNSSEC is an extension to the domain name system that ensures the reliable origin and integrity of the information obtained from the name server.

When DNSSEC is enabled for an fi-domain name, responses to domain name system queries are digitally signed. DNSSEC ensures that responses to domain name system queries come from the right sender and that the response information has not been modified. This means that those visiting a website officially connected to the domain name access the exact website they intend to.

Test whether the resolver name server you use has activated DNSSEC validation.


A negative result means that even if the domain name used DNNSEC, the internet operator does not check the completeness of the DNSSEC chain of trust before returning a response (e.g. IP address of a website).

A positive result means that the DNSSEC validation is activated and the chain of trust is validated.

Providing security extensions to customers

A domain name registrar may activate a DNSSEC service by signing the domain name information after which the registrar may add DS records to the domain name. The DS records may be managed via the EPP interface and the browser-based user interface. The change of key may be automated via the EPP interface.

For creating a digital signature, you need

  • a private key that is kept secret and may only be accessed by the holder; and
  • a public key published in its own record in the name system.

The digital signature may be verified by using the public key corresponding with the private key. The resolver performs the validation on behalf of the user.

The public keys of the fi-zone are published in the root zone. Registrars maintaining resolving name servers are recommended to configure the trust anchor of the root zone to their name servers. The trust anchor is available on IANA's DNSSEC website.

For a more detailed description on how the DNSSEC works, please see FICORA's DNSSEC brochure [pdf, 232 KB].

Parameters used in the DNSSEC signature of the fi-zone:

  • hash function: SHA-256
  • signature algorithm: RSA
  • NSEC3
  • Opt-Out
  • Zone Signing Key (ZSK): RSA 1024-bit
  • Key Signing Key (KSK): RSA 2048-bit.

The KSK key is used to sign the zone's DNSKEY record group only. The ZSK key is used to sign the zone's other name system records, such as the DS records of the signed sub-zones and the authoritative records of the fi-zone. The life span of a ZSK key is one month and that of a KSK key is one year.

Further information

For more information about DNSSEC, please contact fi-domain-tech(at)ficora.fi


Key words: Internet, Domain names


LinkedIn Print