DNSSEC is an extension of the domain name system (DNS), which serves to ensure the authenticity and integrity of the data in DNS answers.

Technical measures have been implemented which mean that the computer submitting a query (e.g. an internet browser) can now establish whether the answer obtained when calling up an internet address in the DNS does, in fact, come from the server that is registered with us as being the competent one. At the same time, DNSSEC ensures that this answer has not been tampered with as it has been transported via the internet. Put in simple terms: DNSSEC is a type of insurance designed to provide internet users with a guarantee that the website shown is precisely the one whose address they have entered.

Read our brochure for a more detailed description of DNSSEC.

There is actually already a secure data transmission technology incorporated in the internet browser which guarantees that the user will arrive at the "correct" website: SSL encryptation. This involves the websites being encrypted with so-called Secure Sockets Layer (SSL). This is marked with a key symbol in the browser. DNSSEC was not designed to replace SSL encryptation. On the contrary, DNSSEC is intended to supplement SSL and prevent users from being routed to an incorrect server even before the internet connection has been secured with SSL.

As an internet user you do not need to do anything. If your internet access provider supports DNSSEC, then all the checks on the signatures will be made on your provider's DNS servers.

As the holder of a domain name your website operator will need to set up DNSSEC for you. Since DNSSEC will not be very widespread precisely during the initial phase, it will probably be the case that only operators of websites requiring protection (e.g. banks) will protect their domain names with DNSSEC to begin with.

The current DNSSEC keys for the top level domains .ch and .li are published here for name server operators.

NB: The keys for the top level domains .ch and .li should not be directly configured as trust anchors in your name servers. Instead, you should make sole use of the root-zone keys. Our keys are only set out here for checking purposes.

Current DNSSEC keys

CH: Key 30010, intended validity until 31 December 2016
DS 30010 8 1 6C987A562D76215ADA6FA9D8B21E5EF5F7D2BA49
DS 30010 8 2 53EC0B45A417CBA93884BD1D2D22249274A6424BDD2CF9CAE55A0B09F73DEE54

LI: Key 10600, intended validity until 31 December 2016
DS 10600 8 1 8862B0256FB199991A445D5C02664D188AFF4A66
DS 10600 8 2 517A05281B5B392207920DB42D9AE352B6498C09B4494381C006C3727F6A4081

The "Key Management Practice Statement" document describes how SWITCH handles the cryptographic key material associated with DNSSEC. It explains how the keys are generated and saved and when they lose their validity.

Key Management Practice Statement