‹ Back
Domain Name System Security Extensions (DNSSEC) 10 February 2012

ENISA: Good Practices Guide For Deploying DNSSEC

In March 2010, the European Network and Information Security Agency (ENISA) issued their “Good Practices Guide For Deploying DNSSEC” with the abstract:

Deploying DNSSEC requires a number of security details and procedures to be defined and followed with specific requirements as to timing. This guide addresses these issues from the point of view of information security managers responsible for defining a policy and procedures to secure the DNS services of a company or an organisation, and from the point of view of competent authorities defining or regulating requirements for deployment.

While the document was created prior to the signing of the root zone in July 2010, the concise 29-page guide still provides a good overview of what is involved with working with DNSSEC and provides good guidelines for using and implementing DNSSEC.

The Table of Contents for the document is:

  • DNSSEC practices statement
  • Signing your zone
    • Value of a signed zone
    • Designing a signing system
    • Signing in a test environment
    • Checking the DNS servers
    • Key generation and management
    • Physical security
    • Use of NSEC3
    • Key rollovers
    • Performance issues
    • Publication of keys
    • Change of registrar
    • Change a zone from signed to unsigned
    • Change of domain holder (registrant)
  • Selecting a product
  • Outsourcing
  • Change of DNS provider
  • Validating DNS queries
    • Configure trust anchors
    • Routers, firewalls and other network equipment
  • Conclusions
  • ANNEX 1: Contents of a TAR’s policy and practices
  • ANNEX 2: Support of DNSSEC on commonly used nameservers
  • Reference

The document is available for free download in PDF form from the ENISA website.

‹ Back

Related resources

State of DNSSEC Deployment 2016
State of DNSSEC Deployment 2016
Domain Name System (DNS)31 December 2016

State of DNSSEC Deployment 2016

This report provides a snapshot of the state of deployment of DNSSEC as of the end of 2016. Please download the...

DNSSEC Policy & Practice Statements (DPS)
Domain Name System Security Extensions (DNSSEC)11 July 2012

DNSSEC Policy & Practice Statements (DPS)

Are you responsible for signing your domain with DNSSEC are are looking to understand more of what may be involved? ...

DNSSEC HOWTO, a tutorial in disguise
Domain Name System Security Extensions (DNSSEC)9 February 2012

DNSSEC HOWTO, a tutorial in disguise

Looking for a comprehensive guide to what DNSSEC is all about?  If so, Olaf Kolkman and the team at NLnet...

Join the conversation with Internet Society members around the world