Authoritatively facilitate interdependent paradigms before parallel. Dynamically incubate extensible technology and economically sound alignments. Conveniently actualize B2C innovation through cost before effective deliverables. Dynamically incubate extensible technology 


Competently transform proactive internal or “organic”.


Quicquam fratrum declivia gravitate. Nam coegit alto unda.


Pumero divino toto prima ensis. Cingebant uno pluvialibus.


Nitidis locum auroram dissaepserat ulla dextra rapidisque.


Phosfluorescently redefine plug-and-play best practices.


Nam coegit alto unda austro liberioris effigiem?

What we have to offer

Blake allows display your services on many different ways
Total number of domains under .ZA
The number of third-level zones that are signed (domain names that are DNSSEC signed)
The number of registries signed

DNSSEC - Signing your SLD

By implementing DNSSEC, you introduce cryptographic certainty that when a person looks up a Domain Name with DNSSEC validation enabled, the answer received will be correct. In order to perform DNSSEC validation, there needs to be a trusted chain of signatures from the root zone (the invisible ‘dot’ at the end of a Domain Name), down to the right most component of a FQDN (Fully Qualified Domain Name) – e.g.

Any “gap” in the chain invalidates the DNSSEC validation, therefore it prohibits people below you on the DNS chain from being able to secure their own DNS.

A secured Zone also allows other material to be included into the Zone, such as TLSA records – which helps authenticate that SSL certificates that Secured Web sites use are in fact correct.

There are two methods to sign your zone that will be mentioned below – BIND or OpenDNSSEC. The Software is usually run on Linux (*nix) type systems.

In looking at the the provided methods of signing, you will see reference to the terms NSEC and NSEC3. For a Second Level Domain, you should choose NSEC3 over NSEC signing, which will stop your zone from being enumerated.

The other useful piece of information is that a nameserver should only have one role, it should either have Zones (authoritative) or be able to look up information (recursive). It should not do both – do not mix these roles. In order to test that DNSSEC is working, you need to ask a Recursive machine that can chase down signatures from the Root. Asking the Authoritative server directly will not work.


DNSSEC for the root zone is a joint effort between ICANN and VeriSign, with support from the U.S. Department of Commerce.
Click Here for announcements, releases and other pertinent information about the deployment of DNSSEC for the root zone.

DNSSEC (short for DNS Security Extensions)

DNSSEC was designed to protect the Internet from certain attacks, such as DNS cache poisoning [0]. It is a set of extensions to DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence.


To make deployment of DNSSEC easier, one can also buy a dedicated “DNSSEC Appliance”, which acts as an automated DNS signer for DNS zones. Several vendors are already offering commercial and non-commercial solutions for signing DNS in real time, some of them using external cryptographic hardware such as HSM (Hardware Security Modules), including USB tokens and smart cards.

DNSSEC Key Management

DNSSEC Key Management, including Key Rollover, is done using specialised DNSSEC software, which can be standalone tools or add-ons to your existing DNS software. All major DNS software will have full or partial DNSSEC functionality built-in within the next years.


Related RFCs, such as RFC 5910, describe how to map DNSSEC for the Extensible Provisioning Protocol (EPP). RFC 4641 describes DNSSEC Operational Practices. RFC 5910 – Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP). RFC 4641 – DNSSEC Operational Practices


DNSSEC does not provide confidentiality of data. Also, DNSSEC does not protect against DDoS Attacks.


This is probably the most popular method of signing Zones and is used by many ccTLDs. The “OpenDNSSEC” software needs to be installed. It uses a second piece of equipment – an HSM (Hardware Security Module) – to create and store signatures. The HSM is also used to sign the Zone.
OpenDNSSEC also comes with a Software HSM so there is no need to purchase the Hardware version. ZA is signed by physical HSM’s as is the “root” of the Internet. Banks and similar organisations will probably do the same.
Most people though can rely on the “Soft” HSM. (BIND can also be configured to use HSM’s).
Once set up, this runs automatically although like any software, may need a prod or two over time.
The software comes with a How-To Guide on how to setup the software and get things running.


Bind sets the standard by which all other DNS systems emulate. BIND will allow a Zone to be automatically signed and keep it up to date. Currently though, Signatures need to be manually created, though this too will be automated. Technically, new signatures may only need to be required every few years – the Signatures in the Root are already over five years old.


To add DNSSEC to BIND – Have a look here:

DS Records

The other side of signing is DNSSEC Validation. This is handled by the people who run Recursive Nameservers, the ISPs that provide access to the man in the street. Telkom SA amongst others already runs DNSSEC Validation, so as soon as your Zone is Signed, the DNSSEC side will be validated on behalf of a large proportion of end users in South Africa.

DNSSEC Validation

In order to sign the SLD to the parent zone .ZA, send the DS key to ZADNA.

Loading posts...
Sort Gallery
Enter your email here