Service Option DNSSEC as a Service (DNSSECaaS)

With the help of DNSSEC, the answers of the name server can be digitally signed and thus the authenticity of the sent DNS answers can be ensured. DNSSEC is also the basis for the use of other security mechanisms. For example, "Domain Name based Authentication of Named Entities", DANE for short, can be used in conjunction with DNSSEC to encrypt mail communication between mail servers, or the authenticity of SSH host keys can be guaranteed via DNSSEC with the help of SSHFP (Secure Shell Fingerprint).

The DNS zone managed via DNSaaS is signed with DNSSEC (Signing Proxy) during the transfer.

• Contact person: Service desk (for fault reports and service requests) https://servicedesk.lrz.de or phone: 089/35831-8800
• Maintenance times: none
• Setup times: 2 days plus delays for domain registration and caching

DNSSEC delegations are generally published by the responsible toplevel registry not in real time but with a time delay. These entries are also subject to caching by Resolver. Additional waiting times may therefore occur when activating and deactivating DNSSEC.

Zones managed via DNSSECaaS must be registered via the LRZ (see service "Registration of domain names". The administration of cryptographic keys for DNSSEC remains in the hands of the LRZ.

This service option is offered to all users of the DNSaaS service.