Home ›
Registrars ›
DNSSEC ›
DNSSEC for registrars
How to use DNSSEC with the Nominet systems
In order to make use of DNSSEC to secure the DNS records for a domain it is necessary to publish DNSSEC Delegation Signer (DS) records for the domain in the parent zone file.Our systems support DS records and additionally we have an EPP Testbed to allow registrars to test their DNSSEC implementation
Registrars that want to be able to add or modify DS Records for their domains must first indicate that they support DNSSEC and enable the use of DNSSEC commands in their Online Service account. If this has not been done then it will not be possible to add, modify or view DS Records on any domains.
Documentation about how to modify or view the DS Records associated with domain names is provided for the Automaton, Nominet EPP, Standard EPP and Web Domain Manager.
Supported values in DS Records
DS Records include the following fields (as specified by RFC 5910 and RFC 4034): - Key Tag
- Algorithm
- Digest Type
- Digest
Our implementation of DNSSEC supports the values defined in the RFCs with some limitations on the algorithms and digest types which are supported.
| Allowed values | |
|---|---|
| Key Tag | Any value allowed by RFC 4034 (integers in the range 0 to 65535) |
| Algorithm | This may be one of the following values: 3 (DSA) 5 (RSASHA1) 6 (DSA-NSEC3-SHA1) 7 (RSASHA1-NSEC3-SHA1) 8 (RSASHA256) 10 (RSASHA512) 12 (ECC-GOST) |
| Digest Type | This may be one of the following values: 1 (SHA-1) 2 (SHA-256) |
| Digest | String value containing only hexadecimal digits |
Related contacts
For questions from our members and registrars Telephone: 01865 332233 Email: support@nominet.org.uk To make a payment Telephone: 01865 332348 Email: payments@nominet.org.uk Emergency out of hours support for registrars Telephone: 01606 866663
If you need any more advice, request a call back and discuss your query with one of our advisors.
Request call back ›