DNSSEC implementation[Link]

DNSSEC is an updated version of the DNS protocol. It works by signing (not encrypting) all entries in a zone file using private/public-key cryptography. The public part of the keys is then published in the zone above you, creating a “chain of trust” leading back to the root zone.

This makes it impossible to forge DNS information unless you have access to the private key used to sign the DNS records.

We have implemented DNSSEC according to the relevant DNSSEC RFC’s. Here is a list:

  • RFC 4033: DNSSEC, Introduction and Requirements.

  • RFC 4034: DNSSEC, Resource records.

  • RFC 4035: DNSSEC, Protocol modifications.

  • RFC 4641: DNSSEC, Operational best practices.

  • RFC 5155: DNSSEC, NSEC3.

  • RFC 5702: DNSSEC, SHA2.

  • RFC 5910: DNSSEC & EPP.

  • RFC 8624: Algorithm Implementation Requirements and Usage Guidance for DNSSEC

The implementation of DNSSEC for .be domain names is optional. If you choose not to implement DNSSEC, you will not have to adapt your systems in any way.

If you do choose to implement DNSSEC, you only have to upload the domain names’ public part of the key signing key. DNS Belgium will create the key digests and upload them to the .be zone file.

DNSSEC keys[Link]

As you can read in the RFC’s, a DNSSEC key consists of several parts:

  • Keytag: contains the keyID, generated when signing your zone file.

  • Flag: indicates the key type, DNS Belgium only supports the uploading of Key Signing Keys (KSK).

  • Protocol: indicates the protocol used, which is default 3 (meaning DNSSEC).

  • Algorithm: DNS Belgium supports the following algorithms to generate keys:

    • (5) RSA-SHA1

    • (7) RSA-SHA1-NSEC3

    • (8) RSA-SHA256

    • (10) RSA-SHA512

    • (13) ECDSA Curve P-256 with SHA-256

    • (14) ECDSA Curve P-384 with SHA-384

    • (15) ED25519

    • (16) ED448

  • Public key: contains the value of the public key itself. This is generated when signing your zone file.

DS records will be published in the .be zone immediately. DNS Belgium won’t perform any validation on the DNSSEC information of your domain names. It is up to you, as the registrar, to ensure that the chain of trust isn’t broken. You can also check the security of the domain name with the on-demand DNS check on the Registrar Web Interface.

DNSSEC keygroups[Link]

Analogous to name server groups, DNS Belgium allows registrars to create keygroups. It allows a registrar to group several keys in one object, to facilitate the mapping between a domain and a list of keys. Linking a domain name to a keygroup has the same effect as individually linking all the keys in that keygroup to the domain name when the zone file is generated or updated.

Since one keygroup can be linked to any number of domain names, the number of keys to be created or replaced is drastically reduced. For instance, consider a keygroup linked to 100 domain names. Changing a single key in that keygroup will require 1 update instead of 100 individual domain name updates (if keygroups were not used).

Requirements for keygroups are:

  • Each keygroup must have a unique name within your account.

  • A keygroup can hold at most 4 keys.

  • A keygroup can be linked to any number of domain names.

  • Only 1 keygroup can be linked to each domain name.

  • A domain name with a keygroup can’t have individual keys and vice versa.