15.05.2025

Securing zone file transfer with TLS serving .lu

.LU

Very confidentially used by the domain names registries, secure DNS zone transfers using TLS went through integration testing jointly conducted by Restena and nic.at. Considering the convincing results, Restena will integrate in a near future this innovative technology within the .lu technical infrastructure.

Over the last few months and as part of its .lu registry activity, the Restena Foundation has been working on a new zone file distribution server that contains all the active .lu domain names. The objective behind this work is to provide an additional touch of security to the .lu.

In the future, this new server will not only improve the .lu redundancy, but also allow the deployment of new services:

  • DNSSEC (Domain Name System Security Extensions) keys and signature semantic validation for the .lu zone, DNSSEC being a technology that authenticates DNS (Domain Name System) data and avoids numerous vulnerabilities.
  • The DNS Zone Transfer over TLS, also known as XoT or XFR-over-TLS (as released by the Internet Engineering Task Force within the RFC 9103) that guarantees both authenticity and confidentiality of zone transfers to secondary servers.

The first European domain names’ registry to officially support XFR-over-TLS technology, Restena is a pioneer in this field and contributes to knowledge and experimentation about DNS zone secure transfers over TLS.

Successful integration tests

Restena conducted integration tests on secure DNS zone transfers using TLS in collaboration with nic.at, the Austrian registry for .at domain names. Together, they tested the effective securisation of the .lu domain names registry zone file transfer to the RcodeZero anycast service secondary servers provided by nic.at, considered to replace one of the current suppliers of the .lu global presence.

The results confirmed the correct operation of softwares and the configurations required to set up secure DNS zone transfers using TLS and to integrate RcodeZero within the .lu technical infrastructure.

Security benefits

Using secondary anycast servers is essential for the .lu. With that solution, the .lu zone content; ie. all active .lu domains managed by Restena; is redundantly distributed across the globe, speeding up the resolution of .lu domain names regardless of where the request originates. But that is not over. The anycast technology also protects against denial of service attacks as it becomes almost impossible to make .lu unavailable worldwide.

Combining the anycast technology to secure DNS zone transfers using TLS offers additional benefits.

  • It guarantees confidentiality to the .lu content during zone transfers.
  • It ensures that the zone is only transferred to authorised service providers

This combination so better protects the technical and commercial data of .lu domain name holders.

An improved quality of service

Within the coming months, Restena will review its partnerships for the provision of the anycast service so to optimise performance, reliability and security when broadcasting the .lu zone. Its main ambition is to include XFR-over-TLS technology in the forefront of the specifications.

This review will enable Restena to offer a better quality of service to the almost 118.000 active .lu domain names, of which more than 10.000 are DNSSEC-signed.

Further information

Service ‘National registry .lu’