Gandi Bar

Home > Internet > DNSSEC at Gandi (UPDATED)


This option is useful only if you know how to configure your own DNS servers, and at this point, it is enabled only for a relatively small number of popular domain name extensions.

The basic principle is to use digital keys and signatures to secure DNS from attack, such as DNS cache poisoning. When properly deployed, DNSSEC enables visitors to a secured domain to have an additional level of assurance that they have reached the site they intended to reach (authentication). The Registry for the domain stores the public key, and the authoritative DNS server stores tha private key. The resolving client checks the digital signature of the response to see if it is complete and authentic, i.e. that it comes from the authoritative DNS server.

For detailed information, see:

To allow domain name owners at Gandi to use this facility, Gandi has created a tool that allows posting the public key(s) to the registry.

There are some prerequisites: first, you must possess the skills needed to set up and manage your own DNS server, generate a key, and install the private key on your DNS server. Your domain name cannot use Gandi's DNS as it’s primary server, but you can still have as a secondary DNS if you like. Finally, your domain has to be in one of the following extensions:

TLDs you  can use with DNSSEC at Gandi

Several other extensions are managed by Gandi and are also compatible with DNSSEC. They will soon have the option added. They are:

TLDs you will soon be able to use with DNSSEC at Gandi

When you have your DNS server and private key in place, just use the new DNSSEC Management screens to populate the Registry with your public key. If you need help, please take a look at our Wiki page about the use of DNSSEC at Gandi.

Update (08/03/2012): DNSSEC is now available for .ORG

Update (19/03/2012): DNSSEC is now available for .CO.UK, .ORG.UK and .ME.UK