Signed DNS zones at Cambridge

We have so far (June 2018) signed the zones listed below for DNSSEC.

  • cam.ac.uk
    • signed on Monday 3 August 2009, registered in dlv.isc.org soon after.
    • DS records in ac.uk registered on Monday 4 April 2011, which created a chain of trust from the root zone.
    • registration in dlv.isc.org removed on Sunday 15 July 2012.
  • 111.131.in-addr.arpa
    • signed on Tuesday 29 September 2009, registered in dlv.isc.org soon after.
    • DS records in 131.in-addr.arpa registered on Friday 8 April 2011, but this did not provide a chain of trust from the root zone until a DS record for 131.in-addr.arpa in in-addr.arpa was created around Thursday 28 April 2011.
    • registration in dlv.isc.org removed on Sunday 15 July 2012.
  • 0.0.2.0.0.3.6.0.1.0.0.2.ip6.arpa
    • signed on Tuesday 29 September 2009, registered in dlv.isc.org soon after.
    • registration in dlv.isc.org removed on Monday 19 March 2012, shortly before the zone was abolished.
  • 5.84.192.in-addr.arpa & 213.153.192.in-addr.arpa
    • signed on Thursday 22 October 2009, registered in dlv.isc.org soon after.
    • DS records in 192.in-addr.arpa registered on Friday 8 April 2011, but this did not provide a chain of trust from the root zone until a DS record for 192.in-addr.arpa in in-addr.arpa was created around Thursday 28 April 2011.
    • the registrations for these zones in dlv.isc.org were removed on Wednesday 13 April 2011.
  • [80-85,88-95].60.193.in-addr.arpa (14 zones)
    • signed around Thursday 14 April 2011, registered in dlv.isc.org soon after.
    • the parent zone 60.193.in-addr.arpa has not yet been signed by JANET.
  • 1.2.0.0.3.6.0.1.0.0.2.ip6.arpa
    • signed at creation on Friday 17 June 2011, registered in dlv.isc.org soon after.
    • the parent zone 0.3.6.0.1.0.0.2.ip6.arpa has not yet been signed by JANET.
  • 252.63.193.in-addr.arpa & 253.63.193.in-addr.arpa
    • signed when maintenance transferred to us on Wednesday 22 February 2012, registered in dlv.isc.org soon after.
    • the parent zone 63.193.in-addr.arpa has not yet been signed by JANET.
  • 195.18.192.in-addr.arpa
    • signed when maintenance transferred to us on Wednesday 22 February 2012, DS records in 192.in-addr.arpa registered soon after, which created a chain of trust from the root zone.
  • in-addr.arpa.cam.ac.uk
    • signed on Thursday 23 January 2014, with DS records for it created in cam.ac.uk shortly thereafter, creating a chain of trust from the root zone.
  • 86.60.193.in-addr.arpa & 87.60.193.in-addr.arpa
    • signed on Tuesday 29 July 2014, soon after maintenance had been transferred to us, registered in dlv.isc.org soon after.
    • the parent zone 60.193.in-addr.arpa has not yet been signed by JANET.
  • 0.0.4.b.5.0.a.2.ip6.arpa
    • signed on Thursday 21 June 2018, with DS records in the parent zone
    • This is the first zone we have signed with ECDSAP256SHA256
    • reverse DNS zone for our provider-independent IPv6 /32

A number of our reverse DNS zones listed above used to rely on dlv.isc.org to provide a chain of trust, because the parent zones maintained by JANET are not signed. The DLV was decommissioned in 2017 so those reverse DNS zones lost their DNSSEC chain of trust.

The following are just "placeholder" zones with very little content.

  • cambridge.ac.uk
    • signed on Tuesday 16 April 2013, using algorithm RSASHA256, registered in dlv.isc.org soon after.
    • DS record in ac.uk registered on Monday 27 May 2013, which created a chain of trust from the root zone, registration in dlv.isc.org removed soon after.
  • cambridgeuniversity.ac.uk
  • cambridge-university.ac.uk
  • cantab.ac.uk
  • ucam.ac.uk
  • universityofcambridge.ac.uk
  • university-of-cambridge.ac.uk
    • signed on Monday 27 May 2013, using algorithm RSASHA256, DS records in ac.uk registered soon after, which created a chain of trust from the root zone.
  • cambridge.net.uk
    • signed on Monday 27 May 2013, using algorithm RSASHA256
    • Has a DS record in the net.uk zone
  • cambridgeuniversity.net.uk
  • cambridge-university.net.uk
  • universityofcambridge.net.uk
  • university-of-cambridge.net.uk
  • university-of-cambridge.org.uk
  • university-of-cambridge.net
  • university-of-cambridge.org
  • ucam.biz
  • cambridgeuniversity.biz
  • cambridge-university.biz
  • universityofcambridge.biz
  • university-of-cambridge.biz
    • signed on Monday 27 May 2013, using algorithm RSASHA256
    • DS records missing

The following zones maintained by the Computer Laboratory have also been signed.

  • cl.cam.ac.uk
    • signed in November 2013, with DS records for it created in cam.ac.uk on 18 November 2013, creating a chain of trust from the root zone.
  • cst.cam.ac.uk
    • created and signed in July 2017, with DS records for it created in cam.ac.uk on 20 July 2017, creating a chain of trust from the root zone.
  • 232.128.in-addr.arpa
    • signed in November 2013, with DS records for it created in 128.in-addr.arpa on 9 January 2014, creating a chain of trust from the root zone.
  • 2.0.2.1.2.0.0.3.6.0.1.0.0.2.ip6.arpa
    • signed in November 2013, with DS records for it created in 1.2.0.0.3.6.0.1.0.0.2.ip6.arpa, which is itself registered in dlv.isc.org (see above).

The following zones maintained by the Faculty of Mathematics have also been signed.

  • damtp.cam.ac.uk
  • dpmms.cam.ac.uk
  • maths.cam.ac.uk
  • newton.cam.ac.uk
  • statslab.cam.ac.uk
  • 16.111.131.in-addr.arpa
  • 17.111.131.in-addr.arpa
  • 18.111.131.in-addr.arpa
  • 20.111.131.in-addr.arpa
  • 24.111.131.in-addr.arpa
  • 145.111.131.in-addr.arpa
    • Signed in January 2017, with DS records added in the parent zones, creating a chain of trust from the root zone.

Other DNS zones maintained by the UIS or others may become signed later.

Except where noted, all these signed zones use the RSASHA1 signing algorithm, and they all use NSEC (rather then NSEC3) records for proving non-existence. For UIS-maintained zones we originally used 800-bit moduli for ZSKs and 1200-bit ones for KSKs, but as time goes on we are gradually increasing these. Currently (September 2014) we are using 944-bit ZSKs and 1280-bit KSKs.