DNSSEC & Registry Lock
DNSSEC and Registry Lock
DNSSEC adds a layer of trust and validation to your DNS infrastructure. Registry Lock protects your domain from any unintended, unwanted or accidental modifications.
DNSSEC is an extension to the DNS which adds two important features namely:
- Data origin authentication: Which permits a validating DNS resolver to verify that the data it receives for a zone comes from a valid Authoritative DNS server, thus mitigating potential Man-in-the-middle attacks.
- Data integrity protection: This allows the validating resolver to verify that the received DNS data has not been modified in transit by a malicious party.
These are achieved using digital signatures based on Public Key Cryptography. This thus creates a chain of trust within the DNS infrastructure which mitigates any Man-in-the-middle attacks that may either provide false answers to DNS queries or which may tamper with valid responses. For more information please see our FAQ section.
To add DNSSEC protection to your .ie domain name you first simply need to be using a DNS service provider that supports the DNSSEC signing of domains. Secondly once you have enabled DNSSEC on your authoritative DNS servers you will need to submit a DS record to be published in the the .ie domain, this is to ensure that the chain of trust can be validated. This DS record is accepted from Registrants via their Registrars who can submit it to the Registry via either EPP or the Titan Web Portal.
The relevant EPP extensions are documented in RFC 5910 and we strongly encourage Registrars to support this EPP extension.
In the event of any difficulties with submitting a DS record via a Registrar the Registrant can submit it directly to the registry as a method of last resort. To do this, you must have PGP secured email set up. You complete the DNSSEC Registrant Change Request Form and attach it to a PGP signed email and send to email@example.com
Please note that change requests must be signed by the administrative contact listed in our records for the given domain(s).
The firstname.lastname@example.org mailbox is manually operated during business hours 9:00 am – 5:30 pm, Monday – Friday.
Registry Lock is a service that allows you to protect your domain registration from any unintended, unwanted or accidental modifications.
Registry Lock ensures that any request to modify your domain must be authorised through a specialised and manual verification process. This process is carried out by us and your Registrar.
The process is simple. When you want to make a change to your domain registration you contact your registrar. The nominated contact from your registrar company will then be responsible for submitting requests to us to lock or unlock your domain.
Changes to the status of your domain are then authorised manually by telephone using a person-specific verification process which protects against automation errors and system compromises.
When the Registry Lock service is activated for a domain no unauthorised changes will be permitted to the following records:
- Domain Holder changes
- Billing Contact changes
- Administrative Contact changes
- Technical Contact changes
- Modifications to the domain registration by our staff
- DNS Record (Name Servers) changes
- Voluntary deletion of the domain
How to activate Registry Lock
If your domain is managed by an accredited registrar, they will guide you through the setup process, and confirm the cost of the service.
If your domain is not currently managed by a registrar, you need to transfer the management (billing) of your domain to an accredited registrar who offers the locking service. Further information on the billing transfer process is available here.
Click here for the Registrar Terms and Conditions for this locking service.
DNSSEC provides data origin authentication and data integrity verification to the DNS through the use of public key cryptographic signatures. Public key cryptography uses asymmetric key algorithms of mathematically related key pairs in the form of a secure private key and a published public key. The combination of the key pair enables the verification of the authenticity of a DNS message through the creation of a digital signature of the DNS data using the secure private key. This signature can in turn be verified by a recipient security aware resolver using the already published public key from the pair.
The DNS Internet protocol was originally designed with virtually no security in its specifications. This protocol was fit for purpose during the earlier days of the Internet in the 1980s and early 1990s. As time progressed, DNS began to experience several distinct classes of vulnerabilities and threats, which may be exploited in an insidious manner. The threats include, but are not limited to, packet interception, query identity prediction, cache poisoning and betrayal by a trusted server.
The domain owner and the client looking up DNS information about the domain can benefit from the cryptographic guarantees that DNSSEC delivers. Domain owners can be assured that their DNS data is not being manipulated through any means. Domain owners’ customers can be certain that they are receiving the correct DNS data for the domain they are looking up.
You should get in touch with your DNS administrator or if you outsource your DNS administration to an accredited .ie registrar, you should contact them for assistance.
If you manage your DNS settings and DNSSEC data, your domain remains signed. If you do not manage your own DNS and DNSSEC data and if the gaining registrar supports DNSSEC and manages your DNS settings, your domain remains signed. If they don’t support DNSSEC, you need to use the DNSSEC Registrant Change Request Form to request the removal of the DS-records. That would mean that your domain is going unsecured or without DNSSEC signatures.