We use cookies to improve your experience. Please read our cookies policy here.


DNSSEC for registrars

How to use DNSSEC with the Nominet systems

In order to make use of DNSSEC to secure the DNS records for a domain it is necessary to publish DNSSEC Delegation Signer (DS) records for the domain in the parent zone file.

Our systems support DS records and additionally we have an EPP Testbed to allow registrars to test their DNSSEC implementation.

Registrars that want to be able to add or modify DS Records for their domains must first indicate that they support DNSSEC and enable the use of DNSSEC commands in their Online Service account. If this has not been done then it will not be possible to add, modify or view DS Records on any domains.

Documentation about how to modify or view the DS Records associated with domain names is provided for EPP and Web Domain Manager.

Supported values in DS Records

DS Records include the following fields (as specified by RFC 5910 and RFC 4034):

  • Key Tag
  • Algorithm
  • Digest Type
  • Digest

Our implementation of DNSSEC supports the values defined in the RFCs with limitations on algorithms defined in RFC 8624.

Allowed values
Key Tag Any value allowed by RFC 4034 (integers in the range 0 to 65535)
Algorithm This may be one of the following values:
8 (RSASHA256)
10 (RSASHA512)
13 (ECDSAP256SHA256)
14 (ECDSAP384SHA384)
15 (Ed25519)
16 (ED448)
Digest Type This may be one of the following values:
1 (SHA-1)
2 (SHA-256)
3 (GOST)
4 (SHA-386)
Digest String value containing only hexadecimal digits

Web Domain Manager

Web domain manager can be used to add and remove DS records for domain names in the parent zone file. Before using these functions, registrars must first enable the use of DNSSEC in their online service account.

Adding and removing DS records

From the domain list in web domain manager, click on a domain name – a summary of the domain name’s details will be shown. DS records will be listed immediately after the list of nameservers for the domain. If there are currently no DS records for the domain, an ‘Add DS record’ link will be available. If DS records have already been added then the link will be ‘Add/remove DS records’.

Click the appropriate link to add or change DS records. Below the list of existing DS records there is a text field for new DS records. Text for DS records should be of the form:

<key tag> <algorithm> <digest type> <digest>

For example: 5498 5 1 FAA0119283234239872398723498234987ABD001

Creating new DNSSEC enabled domain names

It is not currently possible to add a new domain name with DS records attached at the time of creation. The new domain name should be created as usual, then edited to add the DS record as above.

Minerva House, Edmund Halley Road, Oxford Science Park, OX4 4DQ, United Kingdom