DNSSEC for UK domains

I finally got around to enable DNSSEC (Domain Name System Security Extensions) for my primary domain zhadum.org.uk. This extra layer of protection makes it much harder to forge DNS entries for my domain.

Following the steps in this tutorial the whole process was not very difficult. Although I had to make a few adjustments because Nominet, the UK domain registry, mandates the use of different key algorithms for DNSSEC.

Here are the appropriate commands for UK domains:

dnssec-keygen -a RSASHA256 -b 1024 -n ZONE example.uk
dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE example.uk

If the OpenSSL command client is available on your system you can also generate the salt for the zone signing with a single command:

openssl rand -hex 8

After you have completed the configuration of your name server you can use VeriSign’s DNSSEC Analyzer to test your setup. If everything is working correctly the DNSSEC Analyzer should only complain about the missing DS records in the parent zone. To rectify this you need to submit the DS records to your domain registrar who in turn will submit them to Nominet. Once this has been done you should have complete DNSSEC protection for your domain.

I hope these tips help other people to get their UK domains protected with DNSSEC as well.