DNSSEC (DNS Security Extensions) is a DNS extension that cryptographically signs zone records. A browser or resolver can verify that the DNS response came from the real zone owner and wasn’t tampered with in transit.
\n
What it protects against
\n
- DNS response spoofing on public Wi-Fi
- Cache poisoning attacks on ISPs
- Traffic redirection to phishing sites
\n
Does .tj support DNSSEC
\n
Yes, the .tj zone supports DNSSEC. You can sign your zone and publish a DS record in the registry.
\n
How to enable it
\n
- Sign the zone at your DNS provider (most modern DNS — Cloudflare, AWS Route 53, Navju Cloud DNS — do this in one click)
- Get the DS record (key tag, algorithm, digest type, digest)
- Add the DS in the Navju Cloud registrar panel under DNSSEC
- Wait 24 hours — the registry will publish the signature in the .tj zone
\n
Verify it’s working with DNSSEC Analyzer or dig DNSKEY your-domain.tj +dnssec.