DNSSEC is an extension of the Domain Name System (DNS) that serves to guarantee the authenticity and integrity of data from DNS responses.

DNSSEC uses cryptographic signatures to ensure that any manipulation of DNS responses does not go unnoticed, enabling data to be published securely on the DNS. Virtually every transaction on the internet begins with a DNS request, whether it's accessing a website, sending an email, instant messaging, or online banking. DNSSEC prevents a connection from being redirected to the wrong server via fraudulent DNS responses.

DNSSEC is also the basis for other security mechanisms. For example, DANE makes it possible to send encrypted emails to the correct destination server without involving a third party (certificate authority). In combination with technologies such as TLS, internet transactions are secured on multiple levels.

Online communication predominantly uses the DNS to look up information. As the DNS protocol dates back to the beginning of the internet, however, the design did not take security aspects into account. DNSSEC secures an otherwise unprotected DNS protocol, thereby improving the security of overall online communication.

As an internet user you do not need to do anything. If your internet access provider supports DNSSEC, then all the checks on the signatures will be made on your provider's DNS servers.

If you as the holder would like to protect your domain name with DNSSEC, the operator of the name servers has to set this up for you. If the name servers are operated by your webhosting provider, please contact them. If your company operates their own name servers please contact your internal IT department.

The chart shows the number of DNSSEC-signed .li domain names on the first of each month since SWITCH introduced DNSSEC in 2010.

Number of .li domain names with DNSSEC

The current DNSSEC keys for the top level domains .ch and .li are published here for name server operators.

NB: The keys for the top level domains .ch and .li should not be directly configured as trust anchors in your name servers. Instead, you should make sole use of the root-zone keys. Our keys are only set out here for checking purposes.

Current DNSSEC keys

CH: Key 55966, intended validity until 16 December 2020

DS 55966 13 2 CEB479416E4EFD770800434BE1245E1B10D4CF018255C11D8544C448FA032B32

LI: Key 30904, intended validity until 16 December 2020

DS 30904 13 2 63725534B907CFC0E2326A640327C70C8E44D747AABEEF0D1A14AFB7836A7894

The "Key Management Practice Statement" document describes how SWITCH handles the cryptographic key material associated with DNSSEC. It explains how the keys are generated and saved and when they lose their validity.

Key Management Practice Statement

Registrars for .li

Registering new .li domain names: Please select a registrar.
Already registered domain names: Please contact the registrar administering your domain name for any changes.

List of all Registrars

Domain Name Search (Whois)

Is the .li domain name you want still available?

Domain Name Search