We use cookies to improve your experience. Please read our cookies policy here.


How it works


Basic principle of the service

The DNSSEC Signing Service simplifies the process of signing .uk zones. The basic principle is that on instruction from a registrar, the service will generate the DNSSEC key and the corresponding DS record. The system will publish the DNSSEC key to the registrar's nameserver, and for .uk zones publish the DS record to the parent .uk zone file.

The signing service uses AXFR zone transfers to obtain and publish zones to registrar's nameservers. For the service to work it is necessary for registrars to provision their nameserver infrastructure to have hidden master and slave nameservers as well as a public nameserver.

Detailed operation

For zones that you want signed with DNSSEC, you set up a nameserver serving the zone; let's call this the "unsigned master". The unsigned master is hidden, it does not serve the zone to users: it just sends the zonefile to Nominet's DNSSEC Signing Service. The Signing Service generates a key that is used to sign the zone.  You also need to set up another nameserver; let's call this the "signed slave".  The signed zonefile will be sent to the signed slave, and it can then be published to your public nameserver if that is part of your infrastructure set-up.

Whenever you modify the zone on your unsigned master, this change will be propagated to the DNSSEC Signing Service, and the zonefile will be re-signed and sent to your signed slave.  Also, the zone needs to be re-signed periodically to keep the signatures valid. The DNSSEC Signing Service will do this automatically, and send the updated zonefile to your signed slave.

Of course you may want to duplicate the unsigned master / signed slave for reliability through redundancy; the DNSSEC Signing Service will try all your unsigned masters, and pick the one offering the latest SOA.  This signed zonefile will propagate to all your signed slaves.  Conversely, it is not necessary to separate the signed slave and your public nameserver – this could be a single server.

System transactions

  1. Registrar sends a request to sign a zone by EPP or Web Domain Manager
  2. Nominet's EPP server passes the request to the DNSSEC Signing Service
  3. The Signing Service polls the registrars unsigned master for a zone transfer
  4. The Signing service receives the zone
  5. The signing service generates a DNSSEC Key and,
    1. The signed zone is transferred the the signed slave nameserver
    2. The DS record is published in the parent .uk zone, in response to an EPP <secure> command.
  6. The registrar publishes the signed zone from the slave to their public nameserver


After the initial signing, the unsigned zone is periodically polled to check for changes, and updated and re-signed if necessary.  The zone is also re-signed periodically if it has not changed, to keep the signatures up to date.

The DNSSEC signing service uses EPP and Web Domain Manager to initiate the signing process for zones. Further details are provided in the instructions for use.

Minerva House, Edmund Halley Road, Oxford Science Park, OX4 4DQ, United Kingdom