DNSSEC relies on a chain of trust within the DNS infrastructure emanating from the root through to individual zones. This chain of trust was established in July 2010 with the signing of the root zone by ICANN. This was preceded by the signing of the .uk zone in March 2010.

To make DNSSEC an operational reality for .uk zones, the chain of trust has been extended to .uk second level domains. The implementation of DNSSEC on .uk second levels delegated to Nominet was completed on 18 May 2011 with the signing of .sch.uk . Background information about DNSSEC, digital signatures and the chain of trust is provided in our introduction to DNSSEC.

Second Level	Signing Date	DS Record in Parent Zone
.me.uk	12 April 2011     √	19 April 2011     √
.co.uk	26 April 2011     √	3 May 2011       √
.ltd.uk	9 May 2011       √	12 May 2011      √
.plc.uk	10 May 2011      √	12 May 2011      √
.org.uk	10 May 2011      √	12 May 2011      √
.net.uk	12 May 2011      √	16 May 2011      √
.sch.uk	16 May 2011      √	18 May 2011     √

Signing .uk domain names

On 18 May 2011 we also enabled our registry systems to accept DS records. This allows registrars to complete the chain of trust through to individual domain names by generating a DNSSEC key and corresponding DS record. Our systems can be used to place the DS record into the parent zone. The DNSSEC key will also need to be published onto the registrars nameserver record for that domain name. Further information on using DNSSEC registry systems is available.

DNSSEC signing service

We are also developing a DNSSEC signing service to simplify the signing of zones. Further information and a deployment schedule for the signing service is available.