Skip to Main Content

Nominet

Log in to the online service
Log in to Online Services
Skip Primary Navigation
Skip All Secondary and Tertiary Navigation
  
Print this page  | Contact Us

This documentation has been prepared in advance of the implementation of DNSSEC in our registry systems. An overview of DNSSEC is available as well as information on DNSSEC for registrars.
 

Overview



The following operations will be updated to support DS Records:
  • Create operation
  • Modify operation
  • Query operation
  • List operation
  • Bulk Select and Modify operations
In addition the behaviour of the Release operation will be changed when a domain has DS Records.

Modified Operations


Create

When a domain is created up to 8 DS Records can also be specified for the domain by using one or more instances of the new optional "dsdata" field.

Modify

You can use the modify operation to add and remove DS Records for a domain in addition to changing other details of the domain. A maximum of 8 DS Records can be specified for the domain using the optional "dsdata" field.

Notes:
  • When modifying any DS Records for the domain you must include all DS Record details for the domain, even if they are not changing
  • If you need to remove all DS Records from the domain then the string "NULL" must be used in the dsdata field

Query

The query operation has been extended so that it will include information about DS Records for the domain.
If domain does not have any DS Records then there will not be any dsdata fields in the response.

List

The list operation has been extended to include information about DS records for domains, but only for registrars who have registered with us to indicate that they support DNSSEC. For other registrars there will be no change to the response from list.
 
New reply templates for registrars supporting DNSSEC

Default reply template: 
Domain Name List follows...

Domain name|reg-status|registrar-tag|created|changed|expiry|first-bill|recur-bill|
auto-bill|next-bill|dns0|dns1|dns2|dns3|dns4|dns5|dns6|dns7|dns8|dns9|
account-id|account-name|reseller|dsdata0|dsdata1|dsdata2|dsdata3|dsdata4|
dsdata5|dsdata6|dsdata7
...
Notes:
  • The registrar-tag field will be tag and account-name registrant if you have the backwards compatibility option switched on.
Reply template including all fields (by adding "fields: all" to the request): 
Domain Name List follows...

Domain name|reg-status|registrar-tag|created|changed|expiry|first-bill|recur-bill|
auto-bill|next-bill|dns0|dns1|dns2|dns3|dns4|dns5|dns6|dns7|dns8|dns9|
account-id|account-name|reseller|dsdata0|dsdata1|dsdata2|dsdata3|dsdata4|
dsdata5|dsdata6|dsdata7|trad-name|type|co-no|opt-out|addr|locality|city|county|
postcode|country|b-addr|b-locality|b-city|b-county|b-postcode|b-country|a1-id|
a1-name|a1-email|a1-phone|a1-fax|a2-id|a2-name|a2-email|a2-phone|a2-fax|a3-id|
a3-name|a3-email|a3-phone|a3-fax|b1-id|b1-name|b1-email|b1-phone|b1-fax|b2-id|
b2-name|b2-email|b2-phone|b2-fax|b3-id|b3-name|b3-email|b3-phone|b3-fax
...

Bulk Select and Modify

The Bulk Select operation has been extended so that it will include details of any DS records for the selected domains, but only for registrars who have registered with us to indicate that they support DNSSEC. For other registrars there will be no change to the response from Bulk Select.

For registrars who support DNSSEC a Bulk Select operation with a wildcard query (select *) will include 8 new "dsdata" columns.

In addition to this both the Bulk Select and Bulk Modify operations can filter domains based on whether or not the domains have any associated DS records.

It is not possible to make any changes to DS records on domains using the Bulk Modify operation.

New select field: "ds-records"


The "ds-records" field can be used in the select clause - if this is specified then 8 "dsdata" columns (one for each possible DS record) will be added to the output.

New filter field: "ds-records"


The ds-records filter field can be used only with the "=" operator and with an 'rvalue' of 'NULL'. Together with the logical NOT operator this can be used to identify those domains which do (or which do not) have any associated DS records.

Contents of the dsdata field

Each dsdata field is used to specify one DS Record for the domain and will normally contain the following four fields (separated by commas):
  • Key-Tag: The Key Tag value for the DS record (as described in Section 5.1.1 of RFC 4034)
  • Algorithm: The Algorithm number used in the DS record
  • Digest-Type: The Digest Type - this identifies the algorithm used to construct the Digest field for the DS record
  • Digest: The Digest for the DS record
For the Modify operation a single dsdata field containing the string "NULL" is used to indicate that all DS Records should be removed from the domain.

The allowed values for these fields are described in more detail in in RFC 4034. Full details of the DNSSEC algorithm and digest types supported by Nominet are described here.

If the information supplied for a DS record is incomplete or invalid then the operation to create or update the domain will fail and the error message will contain an error code which indicates the reason for the failure.

Registry Fields for DNSSEC support



dsdata An optional field which is used to specify a DS Record for a domain.
This field contains four fields which are separated by commas.
A maxmimum of 8 DS Records can be stored for each domain in the registry.

Example requests and responses using dsdata fields


Create

Request to create a domain on an existing account with the following DS Records:
  • Key-Tag: 101, Algorithm: 5, Digest-Type: 1, Digest: 38EC35D5B3A34B44C39B38EC35D5B3A34B44C39B
  • Key-Tag: 102, Algorithm: 5, Digest-Type: 2, Digest: D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A
operation: request
key: automaton-example.co.uk
account-id: 107158
dns0: ns0.example.com.
dsdata: 101,5,1,38EC35D5B3A34B44C39B38EC35D5B3A34B44C39B
dsdata: 102,5,2,D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A

Modify

Request to remove all existing DS Records on a domain:
operation: modify
key: automaton-example.co.uk
dsdata: NULL

Request to modify the domain so that it will have 3 DS Records:
operation: modify
key: automaton-example.co.uk
dsdata: 101,5,1,38EC35D5B3A34B44C39B38EC35D5B3A34B44C39A
dsdata: 102,5,1,38EC35D5B3A34B44C39B38EC35D5B3A34B44C39B
dsdata: 103,5,1,38EC35D5B3A34B44C39B38EC35D5B3A34B44C39C

Query

Example response for a domain with 2 DS Records:

Subject: Re: TAG query

The following message was sent from the Automaton:

*key: automaton-example.co.uk
*reg-status: Registered until expiry date.
*dns: ns0.example.com.
*dns: ns1.example.com.
*registrar-tag: TAG
*account-id: 10005
*account-name: Example Registrant
*type: UNKNOWN
*opt-out: N
*a1-id: C100081
*a1-name: Example Registrant
*a1-email: test@example.com
*a1-phone: 01865 123456
*addr: 2 Test Street
*city: Test City
*county: Testshire
*postcode: TE57 1NG
*country: GB
*next-bill: 0
*auto-bill: 0
*created: test@example.com 20100125
*expiry: 20120125
*dsdata: 101,5,1,38EC35D5B3A34B44C39B38EC35D5B3A34B44C39B
*dsdata: 102,5,1,38EC35D5B3A34B44C39B38EC35D5B3A34B44C39C

If you have any questions please contact support@nominet.org.uk.

Documentation on the automaton can be found on the Nominet Web
site at http://www.nominet.org.uk/go/automaton

List

Example list response including 1 domain with 2 DS records and another domain without DS records:
Domain Name List follows...
Domain name|reg-status|registrar-tag|created|changed|expiry|first-bill|recur-bill|
 auto-bill|next-bill|dns0|dns1|dns2|dns3|dns4|dns5|dns6|dns7|dns8|dns9|account-id|
 account-name|reseller|dsdata0|dsdata1|dsdata2|dsdata3|dsdata4|dsdata5|dsdata6|
 dsdata7
automaton-example.co.uk|Registered until expiry date.|TAG|20100209||20120209|||0|0||
 |||||||||103015|Example Registrant||10011 5 1
 38DC35D5B3A34F44C39B38EC35D5B3A34B44C39B|10012 3 1
 39EC35D5B3B34B44C39B38EC35D5B3A34B44C39B|||||||
automaton-example-1.co.uk|Registered until expiry date.|TAG|20100209||20120209|||0|0
 |||||||||||103015|Example Registrant||||||||||
Number of domains in the list: 2.

If you have any questions please contact support@nominet.org.uk.

Documentation on the automaton can be found on the Nominet Web
site at http://www.nominet.org.uk/go/automaton
Note: for readability here long lines in the response have been wrapped. have registered with us to indicate that they support DNSSEC. For other registrars there will be no change to the response from list.

Bulk Select

Bulk Select using a wildcard query:
operation: bulk
select: *
Response:
Domain Name List follows...
Domain name|reg-status|registrar-tag|created|changed|expiry|first-bill|recur-bill|
auto-bill|next-bill|dns0|dns1|dns2|dns3|dns4|dns5|dns6|dns7|dns8|dns9|
account-id|account-name|reseller|dsdata0|dsdata1|dsdata2|dsdata3|dsdata4|
dsdata5|dsdata6|dsdata7
...
Query to return a list of all domains on your tag including details of attached nameservers and DS records:
operation: bulk
select: key, nservers, ds-records
Query to return all domains on your tag which have DS records:
operation: bulk
select: *
filter: NOT (ds-records = 'NULL')
Query to return all domains on your tag which do not have DS records:
operation: bulk
select: *
filter: ds-records = 'NULL'
 
More pages
Related contacts
For questions from our members and registrars Telephone: 01865 332233 Email: support@nominet.org.uk To make a payment Telephone: 01865 332348 Email: payments@nominet.org.uk Emergency out of hours support for registrars Telephone: 01606 866663 
If you need any more advice, request a call back and discuss your query with one of our advisors. Request call back 
 
 
© Nominet UK 1996-2012  |  Accessibility  |  Site Map  |  Feeds  |  Glossary  |  Privacy Policy  |  Terms of Use  |  Cookies  |  Contact Us