DNSSEC

DNSSEC relies on a chain of trust within the DNS infrastructure emanating from the root through to individual zones. This chain of trust was established in July 2010 with the signing of the root zone by ICANN. This was preceded by the signing of the .uk zone in March 2010.

To make DNSSEC an operational reality for .uk zones, the chain of trust has been extended to .uk second level domains. The implementation of DNSSEC on .uk second levels delegated to Nominet was completed on 18 May 2011 with the signing of .sch.uk. Background information about DNSSEC, digital signatures and the chain of trust is provided in our introduction to DNSSEC.

Signing .uk domain names

On 18 May 2011 we also enabled our registry systems to accept DS records. This allows registrars to complete the chain of trust through to individual domain names by generating a DNSSEC key and corresponding DS record. Our systems can be used to place the DS record into the parent zone. The DNSSEC key will also need to be published onto the registrar’s nameserver record for that domain name. Further information on using DNSSEC registry systems is available here.

DNSSEC signing service

We have introduced a pilot DNSSEC signing service to simplify the signing of zones. This new product allows registrars to hand over the process of signing their zones to Nominet.