DNSSEC & Registry Lock
DNSSEC and Registry Lock
DNSSEC adds a layer of trust and validation to your DNS infrastructure. Registry Lock protects your domain from any unintended, unwanted or accidental modifications.
DNSSEC provides data origin authentication and data integrity verification to the DNS through the use of public key cryptographic signatures. It relies on a chain of trust within the DNS infrastructure that guarantees that the response you receive has not been tampered with in any manner. For more information please see our FAQ section.
To add DNSSEC protection to your .ie domain name you simply need to send us the relevant DNSSEC records (DS Record) via secure email.
Please note that change requests must be signed by the administrative contact listed in our records for the given domain(s).
The firstname.lastname@example.org mailbox is manually operated during business hours 9:00 am – 5:30 pm, Monday – Friday.
Registry Lock is a service that allows you to protect your domain registration from any unintended, unwanted or accidental modifications.
Registry Lock ensures that any request to modify your domain must be authorised through a specialised and manual verification process. This process is carried out by us and your Registrar.
The process is simple. When you want to make a change to your domain registration you contact your registrar. The nominated contact from your registrar company will then be responsible for submitting requests to us to lock or unlock your domain.
Changes to the status of your domain are then authorised manually by telephone using a person-specific verification process which protects against automation errors and system compromises.
When the Registry Lock service is activated for a domain no unauthorised changes will be permitted to the following records:
- Domain Holder changes
- Billing Contact changes
- Administrative Contact changes
- Technical Contact changes
- Modifications to the domain registration by our staff
- DNS Record (Name Servers) changes
- Voluntary deletion of the domain
How to activate Registry Lock
If your domain is managed by an accredited registrar, they will guide you through the setup process, and confirm the cost of the service.
If your domain is not currently managed by a registrar, you need to transfer the management (billing) of your domain to an accredited registrar who offers the locking service. Further information on the billing transfer process is available here.
Click here for the Registrar Terms and Conditions for this locking service.
DNSSEC provides data origin authentication and data integrity verification to the DNS through the use of public key cryptographic signatures. Public key cryptography uses asymmetric key algorithms of mathematically related key pairs in the form of a secure private key and a published public key. The combination of the key pair enables the verification of the authenticity of a DNS message through the creation of a digital signature of the DNS data using the secure private key. This signature can in turn be verified by a recipient security aware resolver using the already published public key from the pair.
The DNS Internet protocol was originally designed with virtually no security in its specifications. This protocol was fit for purpose during the earlier days of the Internet in the 1980s and early 1990s. As time progressed, DNS began to experience several distinct classes of vulnerabilities and threats, which may be exploited in an insidious manner. The threats include, but are not limited to, packet interception, query identity prediction, cache poisoning and betrayal by a trusted server.
The domain owner and the client looking up DNS information about the domain can benefit from the cryptographic guarantees that DNSSEC delivers. Domain owners can be assured that their DNS data is not being manipulated through any means. Domain owners’ customers can be certain that they are receiving the correct DNS data for the domain they are looking up.
You should get in touch with your DNS administrator or if you outsource your DNS administration to an accredited .ie registrar, you should contact them for assistance.
If you manage your DNS settings and DNSSEC data, your domain remains signed. If you do not manage your own DNS and DNSSEC data and if the gaining registrar supports DNSSEC and manages your DNS settings, your domain remains signed. If they don’t support DNSSEC, you need to use the DNSSEC Registrant Change Request Form to request the removal of the DS-records. That would mean that your domain is going unsecured or without DNSSEC signatures.