How to secure a domain name with the DNSSEC protocol?
- Who should I contact to secure a domain name with the DNSSEC protocol?
Securing a .pl domain name with the DNSSEC protocol requires a key digest, used to sign a particular zone, to be referred to NASK. A digest should be referred through a registrar servicing a domain name. In case of .gov.pl domain names, a digest should be referred directly to NASK by means of a request for change of domain delegation.
- What is a preferred, safe method of exchange of keys?
Possible methods of rollover, i.e. exchange of keys used to sign zones without breaking the chain of trust, are described in a document RFC4641 "DNSSEC Operational Practices”. In practice, for Zone Signing Keys (ZSK) the most frequently applied method is "Pre-Publish Key Rollover", whereas for Key Signing Keys (KSK) most frequently applied is "Double Signature Zone Signing Key Rollover".
- What is a preferred key encryption algorithm?
Nowadays, algorithm number 8 (RSA/SHA-256) with RSA keys of size at least 2048 bits is most frequently applied. If the infrastructure used to sign zones with DNSSEC provides for, worthy of note is also to apply algorithm number 13 (ECDSA Curve P-256 with SHA-256) enabling the security level comparable with algorithm 8 while generating DNSSEC signatures of a lower size.
- What is a recommended lifetime of keys?
There is no universal recommendation. In this respect own policy should be developed, taking into account risk related with the security of a domain name, key length, method of storing private keys, etc. Policy on the exchange of keys to the .pl zone is provided in a document DNSSEC Policy and Practice Statement.
- What version of BIND is recommended to implement DNSSEC?
It is recommended to use the latest stable version of BIND, provided by ISC at https://www.isc.org/downloads/.