The Lightning Wire Labs DNS Service offers DNSSEC support for all features. This page summarises available operation modes and algorithms.

Supported Operation Modes

Pre-signed Zones

In Slave Operation mode, the Lightning Wire Labs DNS Service supports pre-signed zones. This is the most secure setup because no secret keys will be on the name servers.

Live-Signed Zones

In all other modes, the signatures that prove the integrity of the DNS response are available to the name servers which create the signature when it is needed. Just like HTTPS.

Supported Cryptographic Algorithms

  • ECDSA Curve P-384, SHA384 (algorithm 14)
  • ECDSA Curve P-256, SHA256 (algorithm 13)
  • ECC-GOST (algorithm 12)
  • RSA/SHA512 (algorithm 10)
  • RSA/SHA256 (algorithm 8)
  • RSA/SHA1-NSEC3-SHA1 (algorithm 7)
  • RSA/SHA1 (algorithm 5)


We support the following NSEC methods:

  • NSEC3 (default)
  • NSEC3-narrow
  • NSEC