Category: CZ.NIC

Over 50% of .CZ domains now signed with DNSSEC!

CZ domain statisticsCongrats to the team at CZ.NIC and to Internet users within the Czech Republic – the number of .CZ domains signed with DNSSEC just passed over the 50% mark! It’s great to see so many businesses, organizations and individuals using .CZ domains now receiving the higher level of trust that comes with DNSSEC signatures.

CZ.NIC’s Ondrej Filip spread the news yesterday in a tweet:

This milestone fits well with other European country code top-level domains (ccTLDs) that also have significant signing of second-level domains, including: Norway’s .NO (58.2%), Sweden’s .SE (also 51.3%), the Netherland’s .NL (45%).

Congrats to Ondrej and the whole team at .CZ for achieving this milestone! Now on to the remaining 48.7%…  🙂

If you want the higher level of trust that comes with signing your domain with DNSSEC, please visit our “Start Here” page to find resources to help you begin!

Weekend Project: Install The DNSSEC/TLSA Validator for Chrome, Firefox, more

DNSSEC / TLSA ValidatorHow do you know if a website has a domain signed by DNSSEC?  Here’s another quick weekend project, very similar to last weekend’s project , where you can add support to your web browsers to know the DNSSEC status of sites you are visiting.  Even better, as people start to use the DANE protocol to secure TLS/SSL certificates, you’ll be able to know when DANE is being use.

The great team at CZ.NIC Labs has released a new version 2.1 of their plugin for Google Chrome, Mozilla Firefox, Microsoft Internet Explorer and Opera.  You can get it at:

A key difference in this version from previous versions is that it now has support for the TLSA record in DNS that is used by the DANE protocol to add an extra layer of trust to the usage of TLS/SSL certificates.

Once you have the DNSSEC/TLSA validator installed in your browser, you should be able to go to links on these pages to test out your new capabilities:

When you visit the sites, you should see additional icons in your browser’s address bar that will give you information such as this:


The addition of TLSA record support is a great new feature!  While TLSA record usage is still quite small among web sites today, having this ability to see the TLSA usage will definitely help the people out there who are pioneering the usage.

Kudos to the CZ.NIC team for making this available!

P.S. Do note that in order for this to work in your web browser needs to have access to a DNSSEC-validating DNS resolver.   [UPDATE: As noted in the comments to this post, the add-on no longer requires access to a DNSSEC-validating DNS resolver. The required capabilities were built into the code instead.  Having said that, it's still also great to make sure your local DNS resolver does do DNSSEC validation for all the other apps you have.] The add-on can use DNSSEC-validating DNS resolvers from CZ.NIC or Google, buy why not make your network that much more secure and install your own DNSSEC-validating resolvers?  Check out our recent weekend project to learn more about how to configure DNSSEC validation on your local DNS resolver.

Knot DNS

Knot DNSKnot DNS is an authoritative DNS name server that can be used to serve out zone records and includes support for DNSSEC and DANE.  One of the key design goals is to provide simple DNSSEC support for dynamic DNS.  Knot DNS is developed by the team at CZ.NIC and can be found at:

It is available pre-packaged for several versions of Linux and also as source code as a release or directly from a git repository.

Knot DNS is highly scalable and used by CZ.NIC for the operation of the .CZ TLD. It was developed with the target audience of network operators and DNS operators in mind but can be used by anyone needing to serve out DNS records.

For an overview of Knot DNS, you can view this short video interview with Jaromir Talir of CZ.NIC:

Prior to this interview, Jaromir had spoken on stage at ENOG 6 in Kiev, Ukrain, in more detail about Knot DNS. His ENOG 6 slides about Knot DNS are online and a video recording of his presentation is available: