DNSSEC is an extension of the domain name system (DNS), which serves to ensure the authenticity and integrity of the data in DNS answers.

Technical measures have been implemented which mean that the computer submitting a query (e.g. an internet browser) can now establish whether the answer obtained when calling up an internet address in the DNS does, in fact, come from the server that is registered with us as being the competent one. At the same time, DNSSEC ensures that this answer has not been tampered with as it has been transported via the internet. Put in simple terms: DNSSEC is a type of insurance designed to provide internet users with a guarantee that the website shown is precisely the one whose address they have entered.

Read our brochure for a more detailed description of DNSSEC.

There is actually already a secure data transmission technology incorporated in the internet browser which guarantees that the user will arrive at the "correct" website: SSL encryptation. This involves the websites being encrypted with so-called Secure Sockets Layer (SSL). This is marked with a key symbol in the browser. DNSSEC was not designed to replace SSL encryptation. On the contrary, DNSSEC is intended to supplement SSL and prevent users from being routed to an incorrect server even before the internet connection has been secured with SSL.

As an internet user you do not need to do anything. If your internet access provider supports DNSSEC, then all the checks on the signatures will be made on your provider's DNS servers.

If you as the holder would like to protect your domain name with DNSSEC, the operator of your name servers has to set this up for you. If the name servers are operated by your webhosting provider, please contact them. If your company operates their own name servers please contact your internal IT department.

The current DNSSEC keys for the top level domains .ch and .li are published here for name server operators.

NB: The keys for the top level domains .ch and .li should not be directly configured as trust anchors in your name servers. Instead, you should make sole use of the root-zone keys. Our keys are only set out here for checking purposes.

Current DNSSEC keys

CH: Key 17062, intended validity until 31 December 2017

DS 17062 8 2 B00FD1F2898F1F4A6CF5026656A336A183FF5902F9B9601608099796331BDF0B

LI: Key 10804, intended validity until 31 December 2017

DS 10804 8 2 8C40443351C1CE396B4F6C6E728E0E77D819814E7F12ECFA9E2281675E259657

The "Key Management Practice Statement" document describes how SWITCH handles the cryptographic key material associated with DNSSEC. It explains how the keys are generated and saved and when they lose their validity.

Key Management Practice Statement