Assign this task
WHY THIS IS IMPORTANT
DNSSEC ensures that internet users are reaching your organization online and have not been redirected to a fraudulent website.
- Webhosting Companies .BANK | .INSURANCE
- DNS Providers .BANK | .INSURANCE
- Check with Your Registrar
ADDITIONAL REQUIREMENT DETAIL
Every zone gets two pairs of keys: the Zone Signing Key (ZSK) and the Key Signing Key (KSK). It is common to generate those keys first. Then, the essential steps are:
- Sign the zone with your ZSK
- Sign the ZSK with your KSK
- Publish the fingerprint of the KSK in the DS record published in the parent zone (for example, when signing the
zone for example.bank, the DS record would be published in the .BANK zone, or in the .INSURANCE zone for example.insurance.)
- Must not implement obsolete (e.g., weak, experimental, poor) cryptographic algorithms in DNSSEC.
- The following cryptographic algorithms are excluded from use
- SHA1 digest in DS, CDS, and SSHFP records
- RSASHA1 for DNSKEY and CDNSKEY records