Services/DNS

NS1 & NS2

DC dans provide primary or secondary DNS servers for your zones.

To have your master zone modified on our servers, you can:

• use our UserMagicalInterface
• ask administrators

DNS Security

To provide as much security as possible, DC supports the following mechanisms.

TSIG

This protocol allows a secure transfer of zones between primary and secondary servers.

The DC's DNS servers support TSIG and comminication between them are always secured. The following entities are known to support TSIG and can then securely transfer zones to/from DC:

• Hivane

DNSSEC

This protocol aims at establishing a chain of trust, from the root of the DNS, to ensure response to queries on a zone has not been altered on the way. With the root zone public key, it is possible to validate the replies step by step down to your zone, for example: root public key -> . -> NS for org. -> NS for milkypond.org. -> irc.milkypond.org.. Unfortunately, many DNS providers do not support DNSSEC (Gandi is one of them :-/).

In order to help people work on securing their zone, and be ready when their provider is, the ISC created a solution to validating your zone, using another secure path: by publishing security associations in a special zone (dlv.isc.org, called the DLV Registry), which itself can be validated the normal way. This is only a stopgap, but as providers seems not to be in a hurry to do their job, DC decided to use it.

DC DNS servers are able to handle the complicated procedure needed to sign a zone for you. You can just modify it the classic way, and have it signed automatically. You just need to ask us to switch the zone to the secure mode. If your provider gladly support DNSSEC, we can provide the necessary information for the chain of trust; if not, we can use the DLV registry. Beware DNS always means propagation delays, so you may have to wait a few days before the switch is completed and your zone fully secured over the whole world.