DNSSEC Practice Statement is available here.

DNSSEC is an extension of DNS protocol that ensures authenticity and data integrity of DNS replies.

DNSSEC for .si was deployed on December 1, 2011 and Chain of Trust was completed on December 24, 2011.

Arnes’ recursive servers are DNSSEC enabled since June 2011 (DO bit is on, RFC 3225), meaning that recursive servers will try to validate DNSSEC records, if present in DNS replies.

If domain name under .si is not DNSSEC signed, then no problems can arise regarding DNSSEC validations.

Signed domain name can fail to work if:

  • digital signatures have expired,
  • domain name administrator disabled DNSSEC, but did not inform his parent zone,
  • computer clocks are wrong,
  • firewalls block bigger DNS replies (port default is 512 B, which needs to be changed, RFC 2671).

In first three instances server will return SERVFAIL error, whereas TIMEOUT in the latter. In both cases users will experience webpage and mail errors/unavailability.