DNSSEC FAQs for Registrants
What is DNSSEC?
DNSSEC is a technology upgrade that was developed to, among other things, protect against such attacks by digitally ‘signing’ data so you can be assured it is valid. However, in order to eliminate the vulnerability from the Internet, it must be deployed at each step in the lookup from root zone to final domain name (e.g., www.example.co). The root zone was signed on July 15, 2010 and the .CO registry is proud to implement DNSSEC within the .CO name space within the first half of 2011. Importantly, DNSSEC does not encrypt data. It just attests to the validity of the address of the site you visit.
How does DNSSEC work?
DNSSEC services protect against most of the threats to the Domain Name System (DNS), including cache poisoning. It is a technical set of security extensions to the DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence. DNSSEC does not provide confidentiality of data nor does it protect against DDoS Attacks.
What is cache poisoning?
The simplest form of cache poisoning is simply sending fake “answers” to a user’s DNS server. DNS servers constantly send out questions ("What's the IP address of www.example.co?") and receiving answers ("www.example.co is at 209.237.229.14"). The servers don't actually authenticate the source of the answers. With DNSSEC, the server sends back an authenticated answer ensuring the user that the website viewed is the actual website requested and that a potential security vulnerability is not being exploited.
Why did the .CO registry implement DNSSEC?
As part of our commitment to proactively combat domain name abuse; and to make .CO one of the safest, most secure domain extensions on the Internet, we plan to stay current with various technical and security upgrades available, including the implementation of DNSSEC. With the signing of the root zone in 2010 by ICANN, the .CO registry felt it equally important to provide .CO registrants and Internet users worldwide the assurance that the .CO websites they visit are protected.
How will DNSSEC improve security for the average user?
Full deployment of DNSSEC will ensure the end user is connecting to the actual web site or other service corresponding to a particular domain name. Although this will not solve all the security problems of the Internet, it does protect a critical piece of it - the directory lookup - complementing other technologies such as SSL and provide a platform for yet to be developed security improvements.
How do I implement DNSSEC on my .CO domain name(s)?
If you wish to implement DNSSEC on your .CO domain name(s), please contact your registrar provider directly. The .CO registry cannot implement DNSSEC directly on registered .CO domains, but has made it available within the name space for this important security upgrade.
Where can I find more information about DNSSEC?
Further information regarding DNSSEC may be found with numerous sources. Related recommended information regarding the signing of the Root Zone may be found on ICANN’s website at http://www.icann.org/en/announcements/dnssec-qaa-09oct08-en.htm. Also, material regarding the technical implications and resources of DNSSEC may be found at www.DNSSEC.net.
Back to Top
Updated: March 2011
Learn about our .COmmunity and how others are using .CO to build a next-level Internet.go.co
View our local website that features news, blog posts, events and information about .COM.CO cointernet.com.co
Find your ideal .COM.CO domain and serve the people of Colombia with a reliable and secure web address. dominios.com.co
