.US Frequently Asked Questions (FAQs)


What is the .US top-level domain?

.US is “America’s Internet Address.” It is the official country code top-level domain (ccTLD) for the United States within the global domain name system (DNS).

What is Kids.us?

On December 4, 2002, President George W. Bush signed into law the Dot Kids Implementation and Efficiency Act of 2002. This Act requires that Neustar, “as the administrator of the .US country code top-level domain (ccTLD), establish a kids.us domain to serve as a haven for material that promotes positive experiences for children and families using the Internet, provides a safe online environment for children, and helps to prevent children from being exposed to harmful material on the Internet.” Neustar currently maintains and operates the second-level kids.us domain as a safe place on the Internet for children aged 13 or younger. For more information on kids.us domain names, please visit www.kids.us

Where can I register a .US domain?

.US domains may be registered through any accredited registrar. A list of .US accredited registrar may be found here.

Are there restrictions on .US domain names?

Yes. Registration of .US domains is limited to individuals or organizations that meet the .US Nexus policy. Any U.S. citizen or resident, as well as any business or organization, including federal, state, and local government with a bona fide presence in the United States can register a .US domain name.

One of the following eligibility requirements must be met:

  1. A natural person (i) who is a citizen or permanent resident of the United States of America or any of its possessions or territories or (ii) whose primary place of domicile is in the United States of America or any of its possessions, or
  2. Any entity or organization that is incorporated within one of the fifty (50) U.S. states, the District of Columbia, or any of the United States possessions or territories or (ii) organized or otherwise constituted under the laws of a state of the United States of America, the District of Columbia, or any of its possessions or territories, or
  3. An entity or organization (including federal, state, or local government of the United States, or a political subdivision thereof) that has a bona fide presence in the United States. See Section B.3.1 of the Neustar proposal to the Department of Commerce for details concerning what constitutes a “bona fide presence.”

How can I get access to the .US zone file?

To obtain access the .US Zone file, you must complete, sign and return the Zone File Access Agreement to obtain FTP access credentials. This agreement should be faxed to 571-434-5758. If you have additional questions please email support@Neustar.biz.

Are Internationalized Domain Names (IDNs) offered in .US?

.US does not currently offer IDN registrations. However, we suggest you periodically check the official .US website for updates.

Where can I find more information about .US?

Additional information about .US, including information on kid.us, policies and FAQs can be found on the official .US website.

How do I find a list of .US domains to be deleted from the Registry?

A list of upcoming domain deletions from the registry can be obtained from Report 2 for each TLD found here.

What is DNSSEC?

DNSSEC stands for Domain Name System (DNS) Security Extensions, which enable DNS clients (resolvers) to (1) validate origin authentication of DNS data; (2) confirm data integrity; and (3) authenticate denial of existence.

What problem does DNSSEC solve?

When implemented end-to-end, DNSSEC protects end users from exposure to DNS cache poisoning. Cache poisoning is a corruption of the DNS that enables the spread of viruses, worms, and other malicious files/content. Cache poisoning occurs when data is provided to a caching name server that did not originate from an authoritative Domain Name System (DNS) source. Once a DNS server receives non-authentic data and caches it for future use, it will then supply that non-authentic data to its client servers. The impact of cache poisoning on end users is that they may be directed to IP addresses they did not intend to reach, and may not be aware of the associated risks.

What problem does DNSSEC NOT solve?

DNSSEC does not solve Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks on any system. DNSSEC does not prevent incorrect data entry into a zone (if the IP address is entered wrong, it will not be corrected). DNSSEC’s improvement to other applications is limited to ensuring that applications get correct/authenticated information and nothing more. Phishing attacks are still possible through carefully crafted email and spam delivery. Sensitive information such as credit card numbers on a web server are encrypted via secure socket layers (SSL), and not through DNSSEC.

How does DNSSEC work?

DNSSEC uses cryptographic electronic signatures (referred to as public and private keys) to determine the authenticity of data. DNS clients that are DNSSEC-enabled will validate any DNS response received by automatically checking the authenticity of the cryptographic signatures. If the key is missing or not recognized, the response is not validated and the DNS will not pass the false information on to the user.

What’s the process for implementing DNSSEC?

At this time, Neustar has fully deployed DNSSEC for both the .BIZ and the .US TLDs, and is accepting submissions, known as DS records, in both zones. Our .US and .BIZ-accredited registrars will be able to register DNSSEC information on their customers’ behalf in the Neustar registry.

Does DNSSEC at the TLD registry-level impact the signing of the root zone, and vice-versa?

Neustar’s signing of the .US and .BIZ TLD zones did not impact or interfere with the signing of the root zone. The signing of the root zone on July 15, 2010 represented a seamless transition that did not require incremental development work by registries, registrars, or registrants.

When will DNSSEC be available to .US and .BIZ registrars?

Neustar first offered DNSSEC to.US registrants through accredited registrars effective June 7th 2010, and .BIZ as of August 1, 2010. Please contact Neustar Registrar Support at support@Neustar.biz for more information.

Is there a requirement that registrars implement DNSSEC?

.US and .BIZ-accredited registrars are not required to implement DNSSEC at this time. Support for DNSSEC is optional but recommended to help secure and prevent cache poisoning in the .US and .BIZ domains.

When will DNSSEC be available to registrants for their domain names?

.US and .BIZ registrants should contact their registrar of record to determine if and when the registrar will support DNSSEC.

How is a DNSSEC query formed?

A DNSSEC query is formed by a DNS resolver. Recent versions of BIND have already been forming DNSSEC queries but have not been reacting to the resulting DNSSEC responses. In order to react to the DNSSEC responses in a way that makes use of DNSSEC, resolvers need to be configured with the root’s DNSSEC public key.

How does a registrant sign a zone?

If the registrant is using a DNS managed service provider, they should contact the provider for instructions to turn on DNSSEC. If the registrant is operating their own DNS set up, there are a number of steps to perform. First, make sure the tools in use are capable of DNSSEC. This may mean upgrading the DNS software. Second, after preparing and documenting a plan, create cryptographic key pairs and enter them in the zone. Third, run a DNSSEC zone signer (dependent on the tools in use) to generate the first signed zone. The process of signing will have to be repeated as the signatures will have a limited lifetime. The final step is to publish the zone. The managed service provider should be able to provide guidance along the way.

Where can more information be found?

A general collection of information on DNSSEC can be found here.