Signed DNS zones at Cambridge

We have so far (January 2020) signed the zones listed below for DNSSEC.

Starting in November 2019, we moved the UIS-maintained zones to ECDSAP256SHA256, which is abbreviated as ECDSA256 below.

All these zones use NSEC (rather then NSEC3) records for proving non-existence.

Main CUDN zones

cam.ac.uk

• 2009-09-03: signed with RSASHA1 and registered in dlv.isc.org soon after.
• 2011-04-04: DS records registered in ac.uk, which created a chain of trust from the root zone.
• 2012-07-15: removed registration in dlv.isc.org.
• 2020-01-13: signed with ECDSA256.
• 2020-01-15: DS record switched from RSASHA1 to ECDSA256.
• 2020-01-16: RSASHA1 disabled.

in-addr.arpa.cam.ac.uk

• 2014-01-23: signed with RSASHA1 and DS records registered in cam.ac.uk creating a chain of trust from the root zone.
• 2020-01-15: signed with ECDSA256.
• 2020-01-16: DS record switched from RSASHA1 to ECDSA256, and RSASHA1 disabled.

111.131.in-addr.arpa

• 2009-09-29: signed with RSASHA1 and registered in dlv.isc.org soon after.
• 2011-04-08: DS records registered in 131.in-addr.arpa, but this did not provide a chain of trust from the root zone.
• 2011-04-28: DS record for 131.in-addr.arpa created in in-addr.arpa to complete the chain of trust.
• 2012-07-15: removed registration in dlv.isc.org.
• 2020-01-10: signed with ECDSA256.
• 2020-01-13: DS record switched from RSASHA1 to ECDSA256,
• 2020-01-15: RSASHA1 disabled.

195.18.192.in-addr.arpa

• 2012-02-22: zones transferred to us, signed with RSASHA1, and DS records registered in 192.in-addr.arpa, which created a chain of trust from the root zone.
• 2019-11-15: algorithm rollover to ECDSA256

5.84.192.in-addr.arpa
213.153.192.in-addr.arpa

• 2009-10-22: signed with RSASHA1 and registered in dlv.isc.org soon after.
• 2011-04-08: DS records registered in 192.in-addr.arpa but this did not provide a chain of trust from the root zone.
• 2011-04-28: DS record for 192.in-addr.arpa created in in-addr.arpa to complete the chain of trust.
• 2011-04-13: removed registrations in dlv.isc.org.
• 2019-12-16: signed with ECDSA256.
• 2019-12-18: DS record switched from RSASHA1 to ECDSA256.
• 2019-12-20: RSASHA1 disabled.

[80-85,88-95].60.193.in-addr.arpa (14 zones)

• 2011-04-14: signed with RSASHA1 and registered in dlv.isc.org soon after.
• 2017-09-30: dlv.isc.org decommissioned.
• 2019-12-16: fast algorithm rollover to ECDSA256
• There is no chain of trust from the root zone because the parent zone 60.193.in-addr.arpa has not yet been signed by JANET.

86.60.193.in-addr.arpa
87.60.193.in-addr.arpa

• 2014-07-29: zones transferred to us, signed with RSASHA1, and registered in dlv.isc.org soon after.
• 2017-09-30: dlv.isc.org decommissioned.
• 2019-12-16: fast algorithm rollover to ECDSA256
• There is no chain of trust from the root zone because the parent zone 60.193.in-addr.arpa has not yet been signed by JANET.

252.63.193.in-addr.arpa
253.63.193.in-addr.arpa

• 2012-02-22: zones transferred to us, signed with RSASHA1, and registered in dlv.isc.org soon after.
• 2017-09-30: dlv.isc.org decommissioned.
• 2019-12-16: fast algorithm rollover to ECDSA256
• There is no chain of trust from the root zone because the parent zone 63.193.in-addr.arpa has not yet been signed by JANET.

0.0.2.0.0.3.6.0.1.0.0.2.ip6.arpa (now abolished)

• 2009-09-29: signed with RSASHA1 and registered in dlv.isc.org soon after.
• 2012-03-19: removed registration in dlv.isc.org, shortly before the zone was abolished.

1.2.0.0.3.6.0.1.0.0.2.ip6.arpa

• 2011-06-17: zone created, signed with RSASHA1, and registered in dlv.isc.org soon after.
• 2017-09-30: dlv.isc.org decommissioned.
• 2019-12-16: fast algorithm rollover to ECDSA256
• There is no chain of trust from the root zone because the parent zone 0.3.6.0.1.0.0.2.ip6.arpa has not yet been signed by JANET.

0.0.4.b.5.0.a.2.ip6.arpa

• 2018-06-21: zone created, signed with ECDSA256, and DS records registered in the parent zone.
• This is the first zone we signed with ECDSA256.

Computer Laboratory zones

cl.cam.ac.uk

• 2013-11-18: signed with RSASHA1, with DS records for it created in cam.ac.uk creating a chain of trust from the root zone.

cst.cam.ac.uk

• 2017-07-20: created and signed with RSASHA1, with DS records in cam.ac.uk, creating a chain of trust from the root zone.

232.128.in-addr.arpa

• 2013-11: signed with RSASHA1
• 2014-01-09: DS records registered in 128.in-addr.arpa, creating a chain of trust from the root zone.

2.0.2.1.2.0.0.3.6.0.1.0.0.2.ip6.arpa

• 2013-11: signed with RSASHA1, with DS records in the parent zone (see above).

0.1.1.0.0.0.4.b.5.0.a.2.ip6.arpa

• 2018-10-23: zone created and signed with RSASHA1, with DS records in the parent zone (see above).

Faculty of Mathematics zones

damtp.cam.ac.uk
dpmms.cam.ac.uk
maths.cam.ac.uk
newton.cam.ac.uk
statslab.cam.ac.uk
16.111.131.in-addr.arpa
17.111.131.in-addr.arpa
18.111.131.in-addr.arpa
20.111.131.in-addr.arpa
24.111.131.in-addr.arpa
145.111.131.in-addr.arpa

• 2017-01-24: signed with RSASHA1, with DS records added in the parent zones (see above).

• 2020-01-22: DS record switched from RSASHA1 to ECDSA256. (The whole algorithm rollover was spread a few days either side of that date.)

Managed Zone Service

non-ac.uk zones

• 2019-12-11: signed with ECDSA256.
• 2019-12-12: DS records registered in parent zones.

ac.uk zones

• 2019-12-11: signed with ECDSA256.
• 2019-12-16 ... 2019-12-19: DS records registered in the parent zone (rate-limited to at most 10 per day)

Placeholder zones

cambridge.ac.uk

• 2013-04-16: signed with RSASHA256, and registered in dlv.isc.org soon after.
• 2013-05-27: DS record registered in ac.uk, which created a chain of trust from the root zone; registration in dlv.isc.org removed soon after.
• 2019-12-11: signed with ECDSA256 as well as RSASHA256.
• 2019-12-12: DS record switched from RSASHA256 to ECDSA256.
• 2019-12-14: RSASHA256 disabled.

cambridgeuniversity.ac.uk
cambridge-university.ac.uk
cantab.ac.uk
ucam.ac.uk
universityofcambridge.ac.uk
university-of-cambridge.ac.uk

• 2013-05-27: signed with RSASHA256, and DS records in ac.uk registered soon after, which created a chain of trust from the root zone.
• 2019-12-11: signed with ECDSA256 as well as RSASHA256.
• 2019-12-12: DS record switched from RSASHA256 to ECDSA256.
• 2019-12-14: RSASHA256 disabled.

cambridge.net.uk

• 2013-05-27: signed with RSASHA256, and with DS record in the net.uk zone
• 2019-11-21: signed with ECDSA256 as well as RSASHA256.
• 2019-12-16: DS record switched from RSASHA256 to ECDSA256.
• 2019-12-19: RSASHA256 disabled.

cambridgeuniversity.net.uk
cambridge-university.net.uk
universityofcambridge.net.uk
university-of-cambridge.net.uk

• 2013-05-27: signed with RSASHA256, but DS records missing
• 2019-12-11: signed with ECDSA256 as well as RSASHA256.
• 2019-12-14: RSASHA256 disabled.
• 2019-12-16: DS records registered in the parent zone.

university-of-cambridge.org.uk

• 2013-05-27: signed with RSASHA256, but DS records missing
• 2019-12-11: signed with ECDSA256 as well as RSASHA256.
• 2019-12-12: DS records for both algorithms registered in the parent zone.
• 2019-12-13: DS record for RSASHA256 deleted.
• 2019-12-14: RSASHA256 disabled.

ucam.biz

• 2013-05-27: signed with RSASHA256, but DS records missing
• 2019-11-21: signed with ECDSA256 as well as RSASHA256.
• 2019-12-12: DS record for ECDSA256 registered in the parent zone.
• 2019-12-14: RSASHA256 disabled.

university-of-cambridge.net
university-of-cambridge.org
cambridgeuniversity.biz
cambridge-university.biz
universityofcambridge.biz
university-of-cambridge.biz

• 2013-05-27: signed with RSASHA256, but DS records missing
• 2019-12-11: signed with ECDSA256 as well as RSASHA256.
• 2019-12-12: DS record for ECDSA256 registered in the parent zone.
• 2019-12-14: RSASHA256 disabled.