DNSSEC – Secure your domain

"DNSSEC provides the ability for DNS servers and resolvers to trust DNS responses by using digital signatures for validation. When a resolver issues a query for a name , the accompanying digital signature is returned in the response. Validation of the signature is then performed through the use of a preconfigured trust anchor. Successful validation proves that the data has not been modified or tampered with in any way."

Humans uses names to identify one another while computers uses unique numbers known as IP addresses. To simplify communication in the Internet each computer connected is assigned both a unique name, so humans can easily remember and a unique IP address to aid communication with other computers. To map names to IP addresses we use Domain Name System (DNS).

DNS is a hierarchical, distributed database that allow users to locate resources on the network by converting friendly, human-readable names like www.dnssec.or.tz to IP addresses that computers can connect to. When one is surfing or sending e-mail to a certain web address, is done with the aid of queries in the Domain Name System.

* DNS works exactly like your phone book as it translates names to phone numbers.

Security Issues

When DNS was created there was not much emphasis on security. It was later noted that there are multiple ways that communication between DNS queries may be falsified. This may be used by bad people to mislead Internet users into tricking them to provide sensitive information such as passwords and credit cards. Because of this, doing any sort of online business that involves exchange of sensitive information becomes a challenge.

Even though many solutions have been introduced to counter DNS queries vulnerabilities, but the fundamental problem still lies in the functioning of DNS. This is why a security extension of DNS, namely DNSSEC have been developed. With DNSSEC the Domain Name System is secured from abuse by cryptographically signing answers to DNS queries. This way it is possible to confirm that the answers really come from the right source and have not been changed in transit.

* DNS threats include spoofing, data integrity, mutual authentication etc. DNSSEC address this vulnerabilities.

.TZ DNSSEC Adoption

.TZ signed its zones with DNSSEC in October 2012, and became fully operational by February 2013 as the 100th DNSSEC TLD in the world. It is the 3rd TLD in Africa to be signed with DNSSEC and the 1st TLD in Africa to use its own signer platform. .TZ is still at its early days of DNSSEC and we are planning to roll out a massive marketing campaign that will ensure more domains are secured in our zone. The campaign will involve training lessons to our registrars and ISPs on how best they can utilise DNSSEC to secure the Internet.

DNSSEC for Your .TZ Domain

To get a secured .tz domain or securing your existing .tz domain please contact any of our accredited registrars or contact your registrar. Domain registrants have the possibility of publishing their DS record ( a hash of a customer's public DNSSEC keys) through their registrars interface to the .tz zone. .TZ DNSSEC services are governed by .TZ DNSSEC Policy and Practice Statement.

Public Keys

We do recommend that you use the root key as trust anchor (TA). 

Valid Keys

KSK Key id is 5298

active KSK DS record (SHA512):
tz.            86400    IN    DS    5298 10 2 4733FC12533637B5F4600487511F6C228BED53FE00C1A6D319904878 FED76799

Contacts for DNSSEC

For anything to do with DNSSEC, kindly feel free to contact us; 

For more information regarding  .tz DNSSEC download the DNSSEC Policy and Practice statement