DNSSEC

Signing gTLD domain names

Our registry systems are enabled to accept DS records. This allows registrars to complete the chain of trust through to individual domain names by generating a DNSSEC key and corresponding DS record. Our systems can be used to place the DS record into the parent zone. The DNSSEC key will also need to be published onto the registrar’s nameserver record for that domain name.  The Nominet DNSSEC Practice Statement is published here.

The following applies to our DNSSEC implementation:

  • Adheres to RFC 5910 (Hollenbeck, RFC5910, 2010)
  • Uses  "secDNS-1.1.xsd" using the "DS Data" interface
  • Allows the valid algorithms:
    • DSA
    • RSASHA1
    • DSA-NSEC3-SHA1
    • RSASHA1-NSEC3-SHA1
    • RSASHA256
    • RSASHA512
    • ECC-GOST
    • ECDSA Curve P-256 with SHA-256
    • ECDSA Curve P-384 with SHA-384
  • Allows the valid digests:
    • SHA-1
    • SHA-256
  • Does not have the maxSigLife attribute enabled
  • Allows a maximum number of 8 DNSSEC records per domain

DNSSEC for .UK registrars

Information on using .uk DNSSEC registry systems is available here.