Knowledge base DNSSEC
DNSSEC provides a means for you to sign domains to ensure they are secure.
There is a lot of information on what DNSSEC is and how it works on the internet. It means that authoritative zones can now be signed so they cannot be spoofed, and DNS resolvers can check the signing. The signing delegated from the root down, and some zones can now be signed (notably this includes UK domains now).
For the DNS system itself this simply means some new record types. The impact in the longer term will be more resolvers checking signing, and more zones being signed, so less spoofing and forgery will be possible. It also has the chance to break things in various ways and so is being deployed slowly.
Resolvers
Our resolvers handle DNSSEC based queries, for the relevant records and for checking signed records if you want to trust our resolvers.
Registry
We can lodge DS data records with the registry where available - notably UK domains can now do this - contact support.
Zone files
Where we manage your domain we do not currently sign the zone, but plan to soon (as an option), signed with our keys.
For subdomains, at present our management tools do not understand the relevant DNSSEC records being added on our management interfaces, but this is planned soon. If you need such records please contact support. This will only be relevant when we are signing zones we host.
