The Domain Name System (DNS) is a globally-distributed Internet service. Among other services, it provides name-to-number (forward) and number-to-name (reverse) translations using defined client-server and server-server protocols. The DNS is a public service, and any user is freely able to query the DNS for forward or reverse translations.

How does it work?

When the DNS looks up particular information (DNS lookup), the answers are digitally signed allowing the DNS client (resolver) to check if the information is identical to the information on the authoritative name server. This ensures that outgoing Internet traffic is always sent to the correct servers. New record types were created to facilitate this:

  • RRSIG – Resource Record Signature
  • DNSKEY – DNS Public Key
  • DS – Delegation Signer
  • NSEC – Next Secure

Security Extensions

DNS Security (DNSSEC) protects the Internet from certain attacks, such as forging DNS data, that can redirect Internet traffic to fraudulent websites. DNSSEC is a set of extensions to the DNS that provide:

  • Authentication of the origin of DNS data
  • Data integrity
  • Authenticated denial of existence

How is APNIC participating?

APNIC is participating in this very important project to ensure the Internet remains a trustworthy and useful tool for everyone. APNIC is following a three-phase implementation plan:

Phase 1
Equipment selection and testing (complete)
Phase 2
Signing of APNIC zones (complete)
Phase 3
Introduction of Member DNSSEC data (complete) Phase 3 allows activation of DNSSEC protection to the reverse zones by updating the “ds-rdata: “attribute of domain objects in the APNIC Whois Database.
The value of the Delegation Signer (DS) resource records from the zone file is used for the “ds-rdata:” attribute.A successful update of the domain objects will result in updating the parent zone data that is stored in APNIC’s name


How can you update domain objects in MyAPNIC?

Using the Whois template to update a single domain object

Add an optional attribute field “ds-rdata” to your domain object and enter your DS resource records.

Using the Bulk update form to update multiple domain objects

Attach your plain text zone file containing your Name Server and/or DS resource records:


0.168.192.in-addr.arpa. 86400 IN NS new.ns1.apnic.net.
0.168.192.in-addr.arpa. 86400 IN NS new.ns2.apnic.net.
0.168.192.in-addr.arpa. 86400 IN DS 33736 5 1
0.168.192.in-addr.arpa. 86400 IN DS 33736 5 2
      8713C008030EBB FD7A28FC

APNIC operational settings

The following values are the operational parameters used by APNIC for our DNSSEC:

Key sizes
KSK is 2048-bit ZSK is 1024-bit
Roll-over frequency
KSK – mid-May after 02:00 (UTC +10) ZSK – monthly on the 1st of the month after 02:00 (UTC +10)
Zone re-sign frequency
Daily at 00:00 (UTC +10)
Signature validity
RRSIGs are valid for 30 days