333061
 Home :: Frequently Asked Questions
FREQUENTLY ASKED QUESTIONS
 

FREQUENTLY ASKED QUESTIONS

DNSSEC  »   myDNSSEC

  1. Is DNSSEC compulsory for every domain name?
  2. Will DNSSEC affect my domain name if I do not use DNSSEC?
  3. I do not see DNSSEC option during domain registration process. How do I add DNSSEC for my domain name?
  4. Why can't I see the "DNSSEC" in the "Domain Name" drop down menu?
  5. I have enabled DNSSEC for my domain name. What do I need to do next?
  6. How do I upload / update the DS Resource Record to MYNIC complete the chain-of-trust?
  7. What does the term "Published", "Unpublished", "Pending Publish", "Pending Unpublish" and "Non Publishable" means?
  8. What would happen if my signature expires and I did not re-sign my zones in time?
  9. Do I need to login to the Registry System even if my KSK remain unchanged after I have re-signed my zones?
  10. Whom should I contact to if I have problems with my domain names that could be due to DNSSEC?
  11. After searching for the domain names that I have enabled DNSSEC, I see terms such as "Protected" and "Not Protected". What do they mean?
  12. I have enabled DNSSEC and everything DNSSEC is running well. However, I need to change name servers. Why am I not allowed to change my name server settings without Disabling DNSSEC?
  13. I do not handle my own zone files even though I am the Technical Contact. What can I do to enjoy DNSSEC?
  14. I have enabled DNSSEC for my domain name. However, after I transfer the domain name to another registrant, I no longer have DNSSEC. Why is this so?
  15. I can see that some of my domain name cannot enable / disable DNSSEC. Why is this so?
  16. I have a stand-by ZSK key that was introduced in the apex zone but was not use during signing (pre-published key). Why is it not displayed on the detail page of "Key Update"?
  17. What is the difference between "Retrieve Key from Name Server" and "Update Key Status"?
  18. Is my email also protected when I add DNSSEC for my domain names?
  19. I already use SSL for my website, do I still need DNSSEC?
  20. How much does it cost to add DNSSEC for my domain names?
  21. There are so many abbreviations in DNSSEC. What do they mean?

1. Is DNSSEC compulsory for every domain name?

No, it is not. Domain owners have the choice whether to secure their zones through DNSSEC or not. For domain owners that want to do so, they (or any party appointed by them as Technical Contact) must be able to sign their zones. Even though DNSSEC is not mandatory, we strongly encourage those domain that uses the Internet for critical data (such as banks and online stores) to adopt DNSSEC to protect against hijacking of traffic in the event of cache poisoning.


2. Will DNSSEC affect my domain name if I do not use DNSSEC?

No. DNSSEC is designed to be interoperable with non-security aware implementations. Signing MYNIC zones with DNSSEC will not change the way DNS worked. However, it is now possible to validate signed domain names by a suitably configured DNS recursive server (also known as DNS cache server).

3. I do not see DNSSEC option during domain registration process. How do I add DNSSEC for my domain name?

DNSSEC can only be enabled by the Technical Contact once a domain name has been registered successfully. To enable DNSSEC, the Technical Contact has to log in into the Registry System and  select the menu “Domain Name -> DNSSEC -> Enable/Disable DNSSEC”. Please note that “Domain Name -> DNSSEC” is a newly added option and is visible only to Technical Contacts.

4. Why can't I see the "DNSSEC" in the "Domain Name" drop down menu?

The "DNSSEC" menu is only visible to Technical Contact. Administrative Contact and Billing Contact would not be able to see the menu.

5. I have enabled DNSSEC for my domain name. What do I need to do next?

Enabling DNSSEC is only the first step in getting your domain name protected by DNSSEC. You would need to sign your zone files and then login at the Registry System to load the DS Resource Record.

6. How do I upload / update the DS Resource Record to MYNIC complete the chain-of-trust?

Please follow the steps below:

  1. You need to login at the Registry System as Technical Contact.
  2. Click on “Domain Name -> DNSSEC -> Update Key”.
  3. Search for the domain name that you want to upload / update the keys.
  4. Select the domain name listed (using the checkbox on the left of the table), and click on “View Details”.
  5. Click “Retrieve Key from Name Server”.

7. What does the term "Published", "Unpublished", "Pending Publish", "Pending Unpublish" and "Non Publishable" means?

Below are the definition of what these words mean:

  • Published – The DS Records have been successfully written into a file to be included in the signing of the zone process.
  • Unpublished – The DS Records has been removed (or set not to be written before it can be written) from the file for signing process.
  • Pending Publish – The DS Records are placed in a queue to be written to a file when the scheduled job runs. It is pending for the job to be done.
  • Pending Unpublished – The DS Records are set to be removed from the file that contains the DS Records. It is pending for the job to be done.
  • Non Publishable – This status is only reserved for ZSK. ZSKs are shown only for information sake.

8. What would happen if my signature expires and I did not re-sign my zones in time?

To help domain owners, we will send out a DNSSEC reminder 7 days before the expiry date to remind users (Technical Contact) that the signature is expiring and re-signing is needed be done and loaded to the Registry System. If the signature expiry remains unchanged 1 day before the expiry of the signature, the system will automatically set all (KSK) keys to “Unpublished” so that the domain will continue to be able to be resolved. Essentially, if all keys are set to “Unpublished” (i.e., all the DS Records will not be included in the parent zone), DNSSEC will not be use for that particular domain name. If the DS Records remain in the zone (i.e. nothing is done) the domain name will not be able to be resolved by recursive servers (operated by ISPs, or any organization that runs their own recursive server) that has DNSSEC enabled.

9. Do I need to login to the Registry System even if my KSK remain unchanged after I have re-signed my zones?

It would be best that the Keys are loaded by Technical Contact themselves. However, to minimize the effort required in maintaining the DNSSEC keys, the Registry System will check the name server when it is nearing its signature expiry. If nothing changed for the KSK, except for the signature expiry dates, the Registry System will automatically update the expiry date, along with other ZSK update (since ZSK is only for information). However, if the is a rollover process done for KSK, we would require the Technical Contact to login to the Registry System and click on the “Retrieve Key from Name Server” button on the “Update Key” page of DNSSEC menu (Domain Name -> DNSSEC -> Update Key).

10. Whom should I contact to if I have problems with my domain names that could be due to DNSSEC?

If you are not the Technical Contact, we suggest that you first check with your technical contact and see if there are any DNSSEC problems there. Of course, you can always contact us by calling +603-89917272 or email at domreg@mynic.my and we will do our best to investigate and help resolve the issue.

11. After searching for the domain names that I have enabled DNSSEC, I see terms such as "Protected" and "Not Protected". What do they mean?

Both the terms "Protected" and "Not Protected" is an attempt by MYNIC to summarize the status of DNSSEC for the domain name. A domain is marked as "Protected" when there is at least 1 KSK that is “Published” (or during "Pending Unpublish"). "Not Protected" is for domain names that either have not loaded the keys into the system or that all the keys are set to "Unpublished" (or still "Pending Publish") status. By default, when a domain name is first enabled with DNSSEC, the status is "Not Protected". 

12. I have enabled DNSSEC and everything DNSSEC is running well. However, I need to change name servers. Why am I not allowed to change my name server settings without Disabling DNSSEC?

MYNIC has place such restriction to protect the user from mistakenly change the name server without making proper consideration of DNSSEC. If the DS Records included in the .my zones for a server that did not match the keys, the domain name will be considered bogus and it cannot be successfully resolved. To avoid such situation, we need users to disable DNSSEC before any change to the name servers can be done. After the changes have taken place, the user may Enable DNSSEC again. However, do note that you need to load the keys again at the Update Key so that DNSSEC will continue to work.

13. I do not handle my own zone files even though I am the Technical Contact. What can I do to enjoy DNSSEC?

Unfortunately, DNSSEC require a certain degree of control of the zone files as the zone files need to be signed. It would be best then to appoint a party that can handle the zone file signing as your technical contact as there are key management issues that need to be considered as well (such as the scheduled rollover of keys and lifetime for each key).

14. I have enabled DNSSEC for my domain name. However, after I transfer the domain name to another registrant, I no longer have DNSSEC. Why is this so?

Similar to all information that is attached to the domain name, the new registrant would need to provide information of new Administrative Contact, Technical Contact, Billing Contact, name servers, etc. So naturally the new registrant would also need to decide if DNSSEC is to be enabled or not. This is also to ensure that the DS Records always match the signature for the zone file. If new name servers are used and not being signed or signed with different keys, it may cause the domain name not able to be resolved.

15. I can see that some of my domain name cannot enable / disable DNSSEC. Why is this so?

The only time a domain name cannot enable / disable DNSSEC is when the domain is pending transfer or pending deletion. Other than that, there is no reason why the domain name could not enable / disable DNSSEC.

16. I have a stand-by ZSK key that was introduced in the apex zone but was not use during signing (pre-published key). Why is it not displayed on the detail page of "Key Update"?

Please note that when a key is only introduced and not being used in the signing, there will not be RRSIG generated using this key. Therefore the list would not include such keys. This should not cause any concern as ZSK data is only for information and not being part of the information during the signing of .my zones.

17. What is the difference between "Retrieve Key from Name Server" and "Update Key Status"?

"Retrieve Key from Name Server" attempt to get the relevant information from the name server itself and load the keys into the Registry database. "Update Key Status" allows you to change the status of the key from "Unpublished" to "Published" (where the in-between state is "Pending Publish") and changing from "Published" to "Unpublished" (where the in-between state is "Pending Unpublish"). You may also change the status of "Pending Publish" to "Unpublished" immediately as the pending action is yet to be done. Similarly you may change the status of "Pending Unpublish" to "Published" immediately.

18. Is my email also protected when I add DNSSEC for my domain names?

Because DNSSEC protects your domains and websites at the DNS network layer, your emails are also protected from DNS spoofing and DNS hijacking.

19. I already use SSL for my website, do I still need DNSSEC?

Yes. SSL only encrypts transactions and communication from the customer to your website. But the DNS underneath can still get hijacked. Only adding DNSSEC to your domains can ensure that your customers don’t get their DNS spoofed once they click to come to your website.

20. How much does it cost to add DNSSEC for my domain names?

Presently, MYNIC does not charge customers that sign their .my domain names with DNSSEC. However, please check our website for future developments on the issue of costs.

21. There are so many abbreviations in DNSSEC. What do they mean?

Here is a brief list of glossary for DNSSEC:

  • DNSKEY - Domain Name System Key
  • DNSSEC - Domain Name System Security Extensions
  • RRSIG - Resource Record Signature
  • IP - Internet Protocol
  • IPv4 - Internet Protocol version 4
  • IPv6 - Internet Protocol version 6
  • KSK - Key Signing Key
  • NSEC - NextSECure
  • NSEC3 - NextSECure but with hashed next domain name
  • RR - Resource Record
  • SEP - Secure Entry Point
  • ZSK - Zone Signing Key