2. Implement Domain Name System Security Extensions (DNSSEC) with Strong Cryptographic Algorithms for each zone and subsequent sub-zone for domains that resolve in the DNS.

WHY THIS IS IMPORTANT

DNSSEC ensures that internet users are reaching your organization online and have not been redirected to a fraudulent website.

GET HELP

• Webhosting Companies  .BANK | .INSURANCE
• DNS Providers  .BANK | .INSURANCE
• Check with Your Registrar

 
ADDITIONAL REQUIREMENT DETAIL

Every zone gets two pairs of keys: the Zone Signing Key (ZSK) and the Key Signing Key (KSK). It is common to generate those keys first. Then, the essential steps are:

• Sign the zone with your ZSK
• Sign the ZSK with your KSK
• Publish the fingerprint of the KSK in the DS record published in the parent zone (for example, when signing the zone for example.bank, the DS record would be published in the .BANK zone, or in the .INSURANCE zone for example.insurance.)
  
• Must not implement obsolete (e.g., weak, experimental, poor) cryptographic algorithms in DNSSEC.
  • https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Algorithms
  • https://tools.ietf.org/html/rfc8624
  • https://tools.ietf.org/html/rfc4035
  • https://www.icann.org/en/system/files/files/registrar-sha-1-dnssec-27feb20-en.pdf
• The following cryptographic algorithms are excluded from use
  • SHA1 digest in DS, CDS, and SSHFP records
  • RSASHA1 for DNSKEY and CDNSKEY records