As part of the global effort to improve the security of DNS, amongst other registries we are implementing DNSSEC in the zones under our management. DNSSEC prevents the interception of and tampering with DNS queries between nameservers, making the Internet safer. You can find a full explanation of what DNSSEC is and what it does here.

As announced at the .uk registrar conference in November, the first phase of this programme is to add DNSSEC information to the top-level .uk domain.  This was implemented on Monday 1 March 2010, following the timetable below:

1. On Monday 22 February 2010, we lowered the TTL (time-to-live) of entries in the uk zone from two days to three hours.  We will keep it at that level for three weeks (until Monday March 15).  This will help ensure a smooth transition.

2. On Monday 1 March 2010, we introduced DNSSEC information into five of the eleven UK nameservers (ns1.nic.uk, nsa.nic.uk, nsb.nic.uk, nsc.nic.uk, nsd.nic.uk). During the following week, we will monitor the traffic on all our nameservers to look for any significant change in access patterns to ensure optimal performance. For the first week, from Monday 1 March to Monday 8 March, we will deliberately obscure the DNSSEC keys. Although DNSSEC information is present, it will not be possible to validate it.

3. On Monday 8 March 2010 the obscured keys will be replaced by real keys and DNSSEC rolled out to all .uk nameservers. With the signing of the root so close (scheduled for mid-2010), we have taken the decision not to include the keys in the major DNSSEC key stores (the IANA interim trust anchor repository and the ISC DLV repository). Instead, we will use the period as an extended operational test, waiting until the root goes live before publishing our trust anchor in the root zone.

4. One week after the rollout to all UK nameservers (15 March 2010), we will reset the TTLs of records in the .uk zone from three hours to two days.

What you need to do

These changes are being made as the first phase of deploying DNSSEC and should have no impact on your systems.

We will provide details of the next phases of our DNSSEC roll-out, which will include signing .co.uk and other SLDs, over the coming months. Watch this space for updates and guidance on the benefits and impacts of DNSSEC for your customers. If you have any queries please do get in touch with us.