Best Practices for Registrars

DNSSec Best Practice for Implementing DNSSec for Registrars

This document is meant for registrars and providers of name server service that are interested in providing the DNSSEC service to their customers within the .ee domain zone. The following is to be seen as advice for service providers in delivering a high quality service.

Crypto algorithms

Key algorithms and parameters used in the .ee zone have been published on the Estonian Internet Foundation's (EIS) homepage:
www.internet.ee/dnssec-en/dnssec-in-estonian-internet-foundation
A service provider should take these values as the basis for their own key parameters. Weaker algorithms will make the service provider the weakest link in the DNSSEC trust chain and, thereby, a potential target for attacks. On the other hand, significantly more complex algorithms require more computing resources, while the security of the trust chain as a whole will not increase. The choices of EIS are based on the parameters used in root name servers.

A two key pair system

It is recommended to use a two key pair system—ZSK and KSK. The ZSK or Zone Signing Key key pair is used for signing records of the specific zone. This key is used quite often, depending on the size of the zone and the number of records; therefore, it is reasonable to keep this key as short as possible in order to optimise computing resources. This in turn means that the key has to be rolled over relatively often for guaranteeing security and reliability. In order to avoid a situation whereby every such rollover requires a corresponding rollover of the key in the .ee zone, a second key pair is used to create the trust chain – KSK, or the Key Signing Key. The public part of the KSK key is forwarded to EIS to validate the DNS records. In order to minimise the rolling over of this key pair, more complex cryptographic algorithms are used for it.

Rollover of ZSK should be performed regularly

The recommended lifetime of the 1024 bit RSA-SHA256 ZSK key pair is from 3 months to 1 year. EIS recommends rolling over keys of this length at least twice a year. All planned and regular rollovers of keys should be automated.

Use NSEC3

NSEC will guarantee that inquiries to the zone regarding non-existing domain names will also get a signed response. However, NSEC3 will make it impossible to read the contents of the zone file with such enquiries.
As parameters for NSEC3, it is recommended to use one iteration with a 64-bit cryptographic salt, with a lifetime similar to that of the signatures.

Document and test procedures

DNSSEC protects against man-in-the-middle and DNS cache poisoning type of attacks. However, managing the keys required for it is another critical point in the DNS system that requires attention, as a mistake there may result in making the protected domain(s) unavailable to a large part of the world.
In order to avoid this, key management and rollover procedures in a regular situation as well as an action plan for a so-called crisis situation where the DNSSEC trust chain is already broken have to be ready. These are procedures that are not carried out every day. Therefore, it is important to have them in writing and tested accordingly. The most important procedures include:

  • Regular rollover of keys – ZSK and KSK
  • Emergency (attack, system failure, etc.) rollover of keys – ZSK and KSK
  • System recovery plan

Publishing of DPS (DNSSEC Practice Statement)

DPS is an external document describing DNSSEC management in the specific organization. The aim of the document is to present an overview of the principles, procedures and routines used and to give customers and partners a chance to decide whether they trust this solution.

The DPS should be publicly available in the service introduction section of the organisation's homepage.

One key for multiple zones or a separate key for each zone

The same key pairs can be used for multiple DNS zones. However, it should be kept in mind that using the same key pair in multiple zones makes it a more significant target for attacks and, if the keys are compromised, the damage is greater. Therefore, if keys are used extensively, more attention should also be paid to their security, e.g. using a dedicated HSM (Hardware Security Module). At the same time, various HSM providers may set their limitations to the number of keys used.

Changing the registrar

Registrars and DNSSEC service providers need to cooperate if the customer has decided to change service providers. As it is necessary for the domain to retain continuous DNSSEC protection, the service provider from whom the customer is leaving should add the DNSSEC public key of the new service
provider to its zone next to the existing keys and serve the domain's DNS records, until it can be assumed that the keys of the new service provider have reached the caches of the majority of resolving name servers, i.e. up to two days after the key has been added.

Please see also:

Best Practices for Registrars - Elite Partner

Best Practices include requirements for the registrar's staff and registration services, requirements for information published on your websites and the provision of customer service principles.
Best Practices full document, application and more information can be found HERE.

  • Subscription to these Best Practices is a recognition to the registrar’s customer service and the quality of their services!
  • Subscription is a voluntary option for any registrar.
  • Best Practices provide the customers of the subscribing registrars with additional assurance that, when ordering the .ee domain registration services, they will receive reliable information and services that conform to the acceptable quality level.
  • A registrar that has subscribed to Best Practices will have the right to use a quality mark - different accredited registrar logo, an Elite Partner logo (right), from the regular accredited registrar logo (left). As well, Elite Partner favicon will be added to the registrar table on www.internet.ee front page.

Eedo ja Partnerid OÜ
pdf,
General Conditions
pdf,
Strategy 2022-2024
pdf,
General provisions
pdf,
Domain regulation & registrar contract
pdf,
What is a zone file?
pdf,
Why should I register a .ee domain?
pdf,
Accurate data
pdf,
101domain
pdf,
Kuidas toimub võtmete genereerimine? Kas neid on võimalik eksportida ka varuseadmesse?
pdf,
Submit an offer
pdf,
Operations with Contact Objects
pdf,
Council of European Top Level Domain Registries quarterly statistics on global domain names
pdf,
Heiki Sibul
pdf,
DNSSec Best Practice
pdf,
Domain registration
pdf,
Eedo ja Partnerid OÜ
pdf,
.ee Domain Regulation
pdf,
General provisions
pdf,
Which are the most important requirements for registering a .ee domain?
pdf,
Submit an application
pdf,
What are personal data? Which personal data are processed by EIF and for which purposes?
pdf,
Check your desired domain name
pdf,
What is the WHOIS service?
pdf,
Submit an application
pdf,
Cookie note
pdf,
Registrar portal
pdf,
EuroDNS S.A
pdf,
Terms of Service
pdf,
Strategy 2013-2015
pdf,
Gransy s.r.o
pdf,
Access to .ee zone file
pdf,
Millised autentimislahendused on eeID teenuse kaudu kättesaadavad?
pdf,
Wait for auction to end
pdf,
ACII
pdf,
Access to Test Environment
pdf,
Definitions
pdf,
Réseaux IP Européens Atlas on internet data 
pdf,
Registrar's Best Practice - Elite Partner
pdf,
EIF's Information Systems & Technical Conditions
pdf,
Mare Vahtre
pdf,
Requirements and restrictions applicable to a .ee domain name
pdf,
EuroDNS S.A
pdf,
Domain disputes
pdf,
Definitions
pdf,
Who is the data controller and data processor?
pdf,
Who processes the personal domain-related data of individuals?
pdf,
Choose a registrar
pdf,
Terms and conditions of Use of WHOIS
pdf,
Why should companies register the .ee domain?
pdf,
Certification
pdf,
Recent Domain Regulation changes
pdf,
Submit an application
pdf,
Elkdata OÜ
pdf,
Terms and Conditions for Participation in Auction on Auction Portal of Domains to be Deleted
pdf,
Submit an application
pdf,
onlydomains.com
pdf,
Which authentication methods are available through eeID service?
pdf,
Pay auction fee
pdf,
Administrative contact
pdf,
Administration and Applying for Production Access
pdf,
Delivery and notices
pdf,
International registrations
pdf,
Most recent Domain Regulation changes
pdf,
Elkdata OÜ
pdf,
If you want your domain name not to be found in the zone file
pdf,
.ee domain auctions
pdf,
Registration of domain names
pdf,
What must the registrar stipulate in the service agreement with the registrant?
pdf,
On what basis are your personal data collected by EIF?
pdf,
Register your domain name
pdf,
Data published through the WHOIS service
pdf,
I would like to register an .ee domain. What do I have to do?
pdf,
Sign the contract
pdf,
Infowebi Teenused OÜ
pdf,
Submit an application
pdf,
What is WHOIS?
pdf,
How are the Keys generated? Is there an Option to Export the Key to a Backup device?
pdf,
Authorization code
pdf,
Links to Documentation
pdf,
Written procedure
pdf,
Personal data processing
pdf,
IDN Domain Names
pdf,
Infowebi Teenused OÜ
pdf,
Terms and Conditions for Participation in Auction on Auction Portal of Reserved and Blocked Domains
pdf,
Best practices for registrars
pdf,
Is the .ee zone file a list of domain names?
pdf,
Liabilities of the registrant
pdf,
Can the administrative contact of a domain name be a legal person?
pdf,
Where can you receive information about your personal data?
pdf,
Domgate
pdf,
Why to register a .ee domain?
pdf,
Disclosure of the data of legal person registrants of domains
pdf,
Who is a registrar?
pdf,
CITIC Telecom CPC Estonia OÜ
pdf,
Processing of personal data
pdf,
Is the eeID workflow also functional without a phone and browser-only settings?
pdf,
Availability
pdf,
Billing
pdf,
Helen Aaremäe
pdf,
Application
pdf,
Who can register .ee domains?
pdf,
What should I know about the tests?
pdf,
com.ee / pri.ee / fie.ee / med.ee
pdf,
CITIC Telecom CPC Estonia OÜ
pdf,
Are the IP addresses contained in the zone file personal data?
pdf,
.ee statistics
pdf,
Identification and identity verification requirements
pdf,
Are name servers needed for domain name registration?
pdf,
How long will your personal data be stored?
pdf,
Additional tips for .ee domain registration
pdf,
Who or what is a registrar?
pdf,
Contacting legal person registrants of domains
pdf,
Registration services
pdf,
DOMENY.TV MSERWIS Sp. z o.o
pdf,
Netim
pdf,
Liability
pdf,
Letters allowed in .ee domains
pdf,
The eeID does not have an option for my country's national solutions - is eeID a right solution for my company?
pdf,
Clear wish and intent
pdf,
Issues Related to Name Servers
pdf,
Marianne Jukk
pdf,
Steps upon submission of application
pdf,
Does the registrant has to be identified?
pdf,
Submit an application
pdf,
Registration Periods
pdf,
Netim
pdf,
Can a public zone file increase spam emails?
pdf,
eHost OÜ
pdf,
International statistics
pdf,
Right of registrant to registration services
pdf,
For how long does the registrar has to preserve registration documents?
pdf,
How does EIF ensure the secure processing of your data?
pdf,
Who or what is a registrant?
pdf,
Registrar accreditation
pdf,
Spin TEK AS
pdf,
Amendments to the User Agreement
pdf,
Can eeID be used offline?
pdf,
DANE
pdf,
Domain Statuses
pdf,
Timo Võhmar
pdf,
Response to application
pdf,
Loginet Solutions OÜ
pdf,
Certification
pdf,
Does registrar has to establish internal provision?
pdf,
Who is a Registrant?
pdf,
Spin TEK AS
pdf,
Do you want the domain not to be visible in the zone file?
pdf,
List of .ee registrars
pdf,
Failure to register domain name, suspension, deletion
pdf,
Which rights do you have in relation to your personal data?
pdf,
Free subdomains
pdf,
What is the registry?
pdf,
Submission of application
pdf,
Safebrands SAS
pdf,
Validity and termination of the User Agreement
pdf,
Certification
pdf,
Do I have to be a member of the .ee registry to request the service for my use cases?
pdf,
Direct intent
pdf,
About Domain Renewal
pdf,
Party's warranty
pdf,
Test questions
pdf,
Rights of a Registrant
pdf,
How up to date is the information in the zone file?
pdf,
How to become a registrar?
pdf,
Safebrands SAS
pdf,
Consequences of the  expiry of the Registry agreement
pdf,
Domeen OÜ
pdf,
I would like to register an .ee domain. What do I need to submit to the registrar?
pdf,
Safenames Ltd
pdf,
Final provisions
pdf,
Mozello
pdf,
EPP test
pdf,
Can I register a domain without name servers?
pdf,
Is it possible to verify organizations with eeID?
pdf,
DNSKEY record
pdf,
WHOIS
pdf,
Appointment of committee members
pdf,
I would like to register an .ee domain. What do I have to do?
pdf,
Safenames Ltd
pdf,
How to download the zone file?
pdf,
Processing and protection of personal data
pdf,
Obligations of a Registrant
pdf,
May I share zone file data with others?
pdf,
Radicenter OÜ
pdf,
Who is an Administrative Contact?
pdf,
How does eeID work for people without an identity card like refugees or children?
pdf,
DNSSEC
pdf,
Technical Restrictions to Queries
pdf,
Registrar contract
pdf,
List, impartiality and independence of committee members
pdf,
What is the WHOIS?
pdf,
Lehtla OÜ
pdf,
Radicenter OÜ
pdf,
Additional terms and conditions
pdf,
For how long a period can .ee domains be registered?
pdf,
Northside Solutions OÜ
pdf,
Elite Partner programme
pdf,
Who is a Technical Contact?
pdf,
Can I use the verification for other verification requests? 
pdf,
Domain Disputes Committee
pdf,
Poll Messages
pdf,
Additional submissions
pdf,
For how long can .ee domains be registered?
pdf,
Northside Solutions OÜ
pdf,
Compensation for damage
pdf,
Who is the administrative contact and what part do they play?
pdf,
Nameshield
pdf,
Reserved Domain Names
pdf,
Verification is automatic - how reliable is it?
pdf,
Domain Name
pdf,
Jaana Järve
pdf,
Access Problems
pdf,
Admission
pdf,
Nameshield
pdf,
Settling of disputes
pdf,
Who is the technical contact and what part do they play?
pdf,
Zone Media OÜ
pdf,
What is a Blocked Domain Name?
pdf,
From a domain registrar point of view, if the identification process needs to be done just once, but the client uses different registrars, would it be necessary to verify again, or does the verification happen in the registry?
pdf,
Domain Name deletion
pdf,
Martin Mettig
pdf,
DNSSEC
pdf,
Extension of terms
pdf,
Zone Media OÜ
pdf,
Final provisions
pdf,
Do applications to register domains need to be signed?
pdf,
WaveCom AS
pdf,
Domain Name Transfer
pdf,
Does eeID help to avoid the abuse?
pdf,
Domain Name suspension
pdf,
Agreement between parties, suspension of procedure and termination of procedure 
pdf,
Rait Nigol
pdf,
WaveCom AS
pdf,
Are there any restrictions on the choice of domain names?
pdf,
United-domains AG
pdf,
Domain Name Expiry
pdf,
Will EU Digital wallet be implemented in eeID?
pdf,
Domain succession
pdf,
Decision
pdf,
United-domains AG
pdf,
What kinds of registration services do registrars provide?
pdf,
Virtuaal.com OÜ
pdf,
Domain Name Deletion
pdf,
DPS
pdf,
Entry into force and enforcement of decision
pdf,
Virtuaal.com OÜ
pdf,
Oleg Hasjanov
pdf,
What should I do if my service provider isn’t accredited with the Estonian Internet Foundation as a registrar?
pdf,
Suspension and Deletion of a Domain by the EIF
pdf,
EE Direkt
pdf,
Final provisions
pdf,
I would like to register a second domain in my company’s name and another in my own name. Is that possible?
pdf,
Web Commerce Communications Ltd.
pdf,
News, events and blog
pdf,
Domains Belonging to Deceased Natural Persons
pdf,
Why is it not possible to register a domain name with EIF?
pdf,
Equal right of representation
pdf,
Web Commerce Communications Ltd.
pdf,
Tasks and management
pdf,
Riigi Infokommunikatsiooni Sihtasutus (RIKS)
pdf,
Domains Belonging to Terminated (Deleted) Legal Persons
pdf,
General Domain
pdf,
Riigi Infokommunikatsiooni Sihtasutus (RIKS)
pdf,
Can foreign companies and private persons register a .ee domain?
pdf,
Our strategy
pdf,
Edicy OÜ
pdf,
Domain Name Renewal
pdf,
Identity verification
pdf,
Edicy OÜ
pdf,
Is there a local presence requirement when registrerind a .ee domain name?
pdf,
Name SRS AB
pdf,
Domain Succession
pdf,
IP-address
pdf,
Name SRS AB
pdf,
Documents
pdf,
Can I register domains with place and country names?
pdf,
Majandustarkvara OÜ
pdf,
Updating Contact Information
pdf,
Joint representation
pdf,
Majandustarkvara OÜ
pdf,
Public Procurements
pdf,
How is the final cost of .ee domains worked out?
pdf,
Administration of Name Server Entries
pdf,
KSK
pdf,
Working groups
pdf,
Are domain names that use letters with diacritics (ä, ö, ü, õ, š, ž) charged at the same rates?
pdf,
Ingenit GmbH & Co. KG
pdf,
DNSKEY Record Administration
pdf,
Legaldoc
pdf,
Ingenit GmbH & Co. KG
pdf,
Can I use a domain with diacritics (ä, ö, ü, õ, š, ž) in an e-mail address?
pdf,
Identity Verification
pdf,
Name Server
pdf,
Sergei Tsõganov
pdf,
What are the general domains that form part of the top-level .ee domain?
pdf,
Interframe OÜ
pdf,
Signing of Applications
pdf,
Georg Kahest
pdf,
Registrant
pdf,
Interframe OÜ
pdf,
Do I have to pay to register a domain name under general domains?
pdf,
IP Mirror Pte Ltd
pdf,
Processing and Protection of Personal Data
pdf,
Registrant representative
pdf,
IP Mirror Pte Ltd
pdf,
Silver Sõrmus
pdf,
What is a subdomain and how does it differ from a general domain?
pdf,
Infonet AS
pdf,
Registrar
pdf,
Registrar
pdf,
Infonet AS
pdf,
Documents
pdf,
Is it possible to register a subdomain free of charge and if yes, who can do it?
pdf,
What happens to a registered domain if the company that owns it is deleted from the business register?
pdf,
Rights of Registrars
pdf,
Registration
pdf,
Documents
pdf,
Obligations of Registrars
pdf,
Documents
pdf,
Registration services
pdf,
What happens to domains if the registrants forget to renew them?
pdf,
Hariduse Infotehnoloogia Sihtasutus
pdf,
Registrar's certified employee
pdf,
Registry
pdf,
Hariduse Infotehnoloogia Sihtasutus
pdf,
Do I need to submit an application to renew my domain like I did when I registered it?
pdf,
Ports Group AB
pdf,
Registrar Change
pdf,
Registry Agreement
pdf,
Ports Group AB
pdf,
What should I do if I want to delete my .ee domain?
pdf,
Ascio Technologies INC. - DK branch
pdf,
Solving Domain Disputes
pdf,
Sub delegation right
pdf,
Ascio Technologies INC. - DK branch
pdf,
What should I do if I want to transfer my domain to another person?
pdf,
DBWeb OÜ
pdf,
Sub-domain
pdf,
DBWeb OÜ
pdf,
Can I change registrars?
pdf,
Compic OÜ
pdf,
Technical contact
pdf,
Compic OÜ
pdf,
I would like to change my registrar. What do I need to do?
pdf,
Almic OÜ
pdf,
Top Level Domain
pdf,
Almic OÜ
pdf,
I would like to change my domain’s name servers. What do I have to do?
pdf,
Alfanet OÜ
pdf,
What is the registrant’s portal?
pdf,
WHOIS-database
pdf,
Alfanet OÜ
pdf,
What is the .ee auction portal?
pdf,
Zone
pdf,
ZSK
pdf,
What is .ee domain auction?
pdf,
What is a blind auction?
pdf,
What is an Open Bid Auction?
pdf,
Telia Eesti AS
pdf,
Telia Eesti AS
pdf,
What is the basis for choosing whether a domain name will be sold through a blind or open auction?
pdf,
How to participate in the auction?
pdf,
What is a preferential registration right of the domain name?
pdf,
What is the starting price of the auction?
pdf,
How do I register the domain name after a winning bid?
pdf,
What happens to the domain name if I forget to use the preferential registration right within the 30 days?
pdf,
What will happen to the domains names that receive no bids?
pdf,
What are the selection criteria used in case of multiple equal bids?
pdf,
What happens when the invoice is not settled by the time of the due date?
pdf,
How to find the registration code for the domain you reserved from the auction?
pdf,
How is EIF using the proceeds from the domain name auctions?
pdf,
In which language do I get notifications from the Auction Portal?
pdf,
Released .ee domains in an Auction Portal
pdf,
Released .ee domains in an Auction Portal
pdf,
Domain registration
pdf,
What is DNSSEC?
pdf,
Domain registration
pdf,
Estonian Internet Foundation
pdf,
What is Full-Service DNSSEC?
pdf,
Estonian Internet Foundation
pdf,
How can I subscribe to the Full-Service DNSSEC?
pdf,
Key Systems GmbH
pdf,
How can I check a DNSSEC validation?
pdf,
Key Systems GmbH
pdf,
Perfect Sense AB
pdf,
Perfect Sense AB
pdf,
What is the Domain Disputes Committee (DCC)?
pdf,
Who can register a trademarked domain name?
pdf,
InterNetX GmbH
pdf,
InterNetX GmbH
pdf,
SIA Amberbit
pdf,
SIA Amberbit
pdf,
Under what circumstances can I lodge a complaint with the DDC?
pdf,
Remotely OÜ
pdf,
Remotely OÜ
pdf,
What should I do if I want to lodge a complaint with the DDC?
pdf,
Facebook
pdf,
Facebook
pdf,
How much are the DDC fees?
pdf,
Twitter
pdf,
Twitter
pdf,
What happens if the DDC upholds my complaint?
pdf,
Youtube
pdf,
Youtube
pdf,
Partial reimbursement of the Domain Dispute Committee fee
pdf,
RSS
pdf,
RSS
pdf,
How long does a domain dispute last?
pdf,
Who should I talk to if I have problems with my registered domain?
pdf,
Lexsynergy
pdf,
Lexsynergy
pdf,
Who should I talk to if I have problems with web hosting?
pdf,
Marcaria.com
pdf,
Marcaria.com
pdf,
Who can change the domain contact information?
pdf,
How can I check who my registrar or web hosting service provider is?
pdf,
Linkedin
pdf,
Linkedin
pdf,
What actions should be taken with a .ee domain belonging to a legal person before the person is deleted from the Business Registry?
pdf,
Can a domain name be inherited?
pdf,
Where can I file a complaint regarding the content of or activities related to a .ee website?
pdf,
When can EIF delete a .ee domain name?
pdf,
Who ensures the security and purity of the content of the .ee zone?
pdf,
How does EIF engage the Estonian internet community?
pdf,
What is a zone file?
pdf,
Do zone files contain personal data?
pdf,
What do I have to do if I wish to register a secret domain name?
pdf,
How up to date is the information in the zone file?
pdf,
How to download the zone file?
pdf,
How are the contents of the .ee zone file protected?
pdf,
Won’t an accessible zone file increase the volume of spam?
pdf,
What is eeID identification service?
pdf,
Who can use eeID service?
pdf,
Can eeID be used in a global scale?
pdf,
How to order the eeID service?
pdf,
How much does it cost to use the eeID service?
pdf,
What to remember about the eeID advance payment?
pdf,
What technical requirements must be taken into account when using the eeID service?
pdf,
What are the prerequisites for using the service in a production environment?
pdf,
How can I change or terminate eeID service agreements?
pdf,