DNSSEC

Q. What DNSSEC protocol (DSData, KeyData) will you use?

A. The registry will accept key data but no action is taken. Only DS data is processed. It is the registrar’s responsibility to verify the DS data.

Q. Which standard are you using for DNSSec?

A. Details:

– The use of HSM modules for the generation and storage of keys to ensure that keys cannot be compromised
– A 2048bit Key Signing Key
– A 2048bit Zone Signing Key
– The use of RSA⁄SHA-256
– KSK rollovers every 12 months, using the double RRset method
– ZSK rollovers every month, using the pre-publication method
– Algorithm rollovers specifically planned per event; at present, an alternative to RSA⁄SHA-256 is not yet proposed
– NSEC3 with opt-out – to reduce overhead of zone file size increases
– TTL on records 14,400 seconds to minimize risks during and allow for emergency key rollovers.
– Use the DNS software’s automatic re-signing of RRSIGs to prevent signatures from expiring causing validation failures.
– A 7 day signature refresh period to protect against failures in signing systems.
– A 14 day signature validity period;
– The addition of a random time offset for all signature expiry during the initial generation to help evenly distribute expiry & minimize DNS load
– Key rollovers coordinated according to a pre-calculated safety schedule

Q. When are you going to start DNSSEC support?

A. Donut’s TLDs will support DNSSEC at launch.

‍