This article describes the function and implementation of DNSSEC, an extension of the Domain Name System that ensures the authenticity and integrity of DNS data. DNSSEC is automatically enabled at METANET for certain nameservers, especially for .ch and .li domains. Activation requires correctly signed DNS zones, while deactivation is not possible for certain domains. The article guides you through the steps for activating and potentially deactivating DNSSEC and notes that DNSSEC data can be manually added after domain transfers.
Introduction
Scope
Availability
Activation
Deactivation
Introduction
DNSSEC is an extension of the Domain Name System (DNS) designed to ensure the authenticity and completeness (integrity) of DNS response data.
Through technical measures, the requesting computer (e.g., internet browser) can thus verify whether the response when accessing an internet address in DNS actually comes from the server registered as authoritative. At the same time, it ensures that this response has not been altered during transport over the internet. Simply put: DNSSEC is a kind of insurance that guarantees the internet user that exactly the website they entered the address for is displayed.
Scope
DNSSEC support is currently limited to the "Domain Service" offering (i.e., domain management) and the nameservers of the web hosting servers. This means the responsible nameservers must be DNSSEC-capable and able to provide a signed DNS zone.
The following METANET nameservers support DNSSEC:
- ns1/ns2.SERVERNAME.metanet.ch ns1/ns2.SERVERNAME.sui-inter.net
The following METANET nameservers support DNSSEC only for .ch and .li domains registered with METANET. Activation occurs automatically:
- ch/nl.pro.io/p.dnh.net - my.metanet.ch nameservers
- ns/ns2/ns3.ch-meta.net - Managed nameservers
- ns/ns2.ch-inter.net - Managed nameservers
The following METANET-managed nameservers are currently not DNSSEC-capable:
- ch/de/nl.ch-inter.net
Availability
Domain Extensions (TLDs)
You can check whether the desired domain extension supports DNSSEC in the respective info box at https://order.metanet.ch/domains.html.
Example: .ch
Incoming Transfers
For certain domain extensions, existing DNSSEC data cannot be properly transferred, and DNSSEC will be disabled upon successful transfer to METANET. Whether the desired domain extension is affected is also indicated in the domain info box. In such cases, you can re-enter the DNSSEC data with us at any time after the transfer is complete.
Activation
To do this, go to the "DNSSEC" tab at the domain level in the domain management:
| To activate DNSSEC for your domain, the DNS zone on the authoritative nameserver must be correctly signed. If you use Plesk nameservers, this signing is possible with this guide: Plesk: Activate DNSSEC |
If this is not the case, activation cannot proceed, and the following message will be displayed:
If the signatures are correctly stored, you can continue activation by clicking "next ...":
You can now enter the resource records. Depending on the chosen domain extension, DS or DNSKEY entries are expected:
DS
DNSKEY
Deactivation
| Deactivation is not possible for .ch and .li domains when using the my.metanet.ch and Managed nameservers. |
If you no longer need DNSSEC, you can disable it at any time using the "Deactivate DNSSEC" function: