How to secure a domain name with the DNSSEC protocol?
Securing a .pl domain name with the DNSSEC protocol requires a key digest, used to sign a particular zone, to be referred to NASK. A digest should be referred through a registrar servicing a domain name. In case of .gov.pl domain names, a digest should be referred directly to NASK by means of a request for change of domain delegation.
Possible methods of rollover, i.e. exchange of keys used to sign zones without breaking the chain of trust, are described in a document RFC4641 „DNSSEC Operational Practices”. In practice, for Zone Signing Keys (ZSK) the most frequently applied method is "Pre-Publish Key Rollover", whereas for Key Signing Keys (KSK) most frequently applied is "Double Signature Zone Signing Key Rollover".
Nowadays, algorithm number 8 (RSA/SHA-256) with RSA keys of size at least 2048 bits is most frequently applied. If the infrastructure used to sign zones with DNSSEC provides for, worthy of note is also to apply algorithm number 13 (ECDSA Curve P-256 with SHA-256) enabling the security level comparable with algorithm 8 while generating DNSSEC signatures of a lower size.
There is no universal recommendation. In this respect own policy should be developed, taking into account risk related with the security of a domain name, key length, method of storing private keys, etc. Policy on the exchange of keys to the .pl zone is provided in a document DDNSSEC Policy and Practice Statement(PDF).
It is recommended to use the latest stable version of BIND, provided by ISC at
https://www.isc.org/downloads/.
Before the implementation of DNSSEC it is advisable to explore the subject matter to avoid making mistakes which may result in unavailability of a domain name.
We encourage you to evaluate your availability to implement DNSSEC. For this purpose you may use „DNSSEC Infrastructure Audit Framework (PDF)”.