This documentation has been prepared in advance of the implementation of DNSSEC in our registry systems. An overview of DNSSEC is available as well as information on DNSSEC for registrars. We also have provided DNSSEC functions in our EPP Testbed.
Overview
The following operations will be updated to support DS Records:
- domain:create
- domain:update
- domain:info
- domain:list - only changed when using nom-domain-2.1.xsd
In addition to this the behaviour of the domain:transfer operation will be changed to handle DS Records.
Schema support for DNSSEC
Our support for DNSSEC in Nominet EPP uses the standard secDNS-1.1.xsd schema for the addition and removal of all DS records and also for the responses to <domain:info> operations.
In addition to this the new nom-domain-2.1 schema can be used to obtain DS record information using the domain:list operation.
Our support for the secDNS-1.1 schema has the following constraints:
- The optional Maximum Signature Lifetime (maxSigLife) element is not supported
- We only support the DS Data Interface - we do not support the Key Data Interface
- We do not support the optional "urgent" attribute in the <secDNS:update> element
- A maximum of eight DS records is allowed for each domain
Any request which breaks these constraints will fail and the error message received will contain an automaton error code which indicates the reason for the failure.
Documentation for the secDNS schema can be found in RFC 5910 and details of the DS record fields are described in RFC 4034.
The secDNS-1.1 schema can be used in combination with either the Nominet 2.0 schema bundle or with the new Nominet 2.1 schema bundle.Modified Operations
<domain:create>
When a domain is created up to 8 DS Records can also be specified for the domain by using a <secDNS:create> element with one or more <secDNS:dsData> elements from the secDNS-1.1 extension schema. If more than 8 DS records are specified then the request will fail.
The <domain:update> operation can be used to add or remove DS records for an existing domain by specifying a <secDNS:update> element.
A maximum of 8 DS records can be specified for removal or addition within the <secDNS:update> element - if more than 8 records are added or removed then the update will fail. The update will also fail if the result of adding new DS records to the domain would be that more than 8 DS records are associated with the domain.
<domain:info>
If the secDNS schema is used when logging in to EPP and the domain has DS records, then the response from the info command will include information about the DS records which are on the domain.
If the secDNS schema was not specified when logging in to EPP then no information about DS records will be included in the response.
<domain:list>
When the <domain:list> operation is used with the <domain:fields> element set to "all" then information about any DS records on the domains will be included in the <domain:infData> elements of the response provided that both the nom-domain-2.1 and secDNS-1.1 schemas were specified when logging in to EPP. If both of these schemas were not specified when logging in to EPP then no information about DS records will be included in the response.
<domain:transfer>
When the transfer operation is used to move a domain name with DS records onto another tag the EPP system will check to see if the receiving tag supports DNSSEC.
If the receiving tag supports DNSSEC then the DS records for the domain will not be altered. However, if the receiving tag does not support DNSSEC then any DS records will be removed from the domain.
Contents of the <secDNS:dsData> element
When creating or changing DS records for a domain the following fields must be set in the <secDNS:dsData> element for each DS record:- keyTag: The Key Tag value for the DS record (as described in Section 5.1.1 of RFC 4034)
- alg: The Algorithm number used in the DS record
- digestType: The Digest Type - this identifies the algorithm used to construct the Digest field for the DS record
- digest: The Digest for the DS record
These fields are described in more detail in RFC 4034. Full details of the DNSSEC algorithm and digest types supported by Nominet are described here.
If the information supplied for a DS record is incomplete or invalid then the operation to create or update the domain will fail and the error message will contain an automaton error code which indicates the reason for the failure.
Example requests and responses
<domain:create>
Example request to create a domain on an existing account with the following DS Records:
- Key-Tag: 101, Algorithm: 5, Digest-Type: 1, Digest: 38EC35D5B3A34B44C39B38EC35D5B3A34B44C39B
- Key-Tag: 102, Algorithm: 5, Digest-Type: 2, Digest: D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd">
<command>
<create>
<domain:create
xmlns:domain="http://www.nominet.org.uk/epp/xml/nom-domain-2.0"
xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/nom-domain-2.0
nom-domain-2.0.xsd">
<domain:name>epp-example.co.uk</domain:name>
<domain:account>
<domain:account-id>111111</domain:account-id>
</domain:account>
</domain:create>
</create>
<extension>
<secDNS:create
xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1"
xsi:schemaLocation="urn:ietf:params:xml:ns:secDNS-1.1 secDNS-1.1.xsd">
<secDNS:dsData>
<secDNS:keyTag>101</secDNS:keyTag>
<secDNS:alg>5</secDNS:alg>
<secDNS:digestType>1</secDNS:digestType>
<secDNS:digest>38EC35D5B3A34B44C39B38EC35D5B3A34B44C39B</secDNS:digest>
</secDNS:dsData>
<secDNS:dsData>
<secDNS:keyTag>102</secDNS:keyTag>
<secDNS:alg>5</secDNS:alg>
<secDNS:digestType>2</secDNS:digestType>
<secDNS:digest>D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A</secDNS:digest>
</secDNS:dsData>
</secDNS:create>
</extension>
<clTRID>ABC-12345</clTRID>
</command>
</epp>
<domain:update>
Example request to remove all existing DS records:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd">
<command>
<update>
<domain:update
xmlns:domain="http://www.nominet.org.uk/epp/xml/nom-domain-2.0"
xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/nom-domain-2.0
nom-domain-2.0.xsd">
<domain:name>epp-example.co.uk</domain:name>
</domain:update>
</update>
<extension>
<secDNS:update
xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1"
xsi:schemaLocation="urn:ietf:params:xml:ns:secDNS-1.1 secDNS-1.1.xsd">
<secDNS:rem>
<secDNS:all>true</secDNS:all>
</secDNS:rem>
</secDNS:update>
</extension>
<clTRID>ABC-12345</clTRID>
</command>
</epp>
<domain:info>
Example response for a domain with 1 DS record:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/epp-1.0 epp-1.0.xsd">
<response>
<result code="1000">
<msg>Command completed successfully</msg>
</result>
<resData>
<domain:infData
xmlns:domain="http://www.nominet.org.uk/epp/xml/nom-domain-2.0"
xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/nom-domain-2.0 nom-domain-2.0.xsd">
<domain:name>epp-example.co.uk</domain:name>
<domain:reg-status>Registered until expiry date.</domain:reg-status>
<domain:account>
<account:infData
xmlns:account="http://www.nominet.org.uk/epp/xml/nom-account-2.0"
xmlns:contact="http://www.nominet.org.uk/epp/xml/nom-contact-2.0">
<account:roid>111044-UK</account:roid>
<account:name>Mr R. Strant</account:name>
<account:type>UNKNOWN</account:type>
<account:opt-out>N</account:opt-out>
<account:addr>
<account:street>2 Test Street</account:street>
<account:city>Test City</account:city>
<account:county>Testshire</account:county>
<account:postcode>TE57 1NG</account:postcode>
<account:country>GB</account:country>
</account:addr>
<account:contact order="1">
<contact:infData>
<contact:roid>C124808-UK</contact:roid>
<contact:name>Mr R. Strant</contact:name>
<contact:phone>01865 123456</contact:phone>
<contact:email>r.strant@strant.co.uk</contact:email>
<contact:clID>TEST</contact:clID>
<contact:upID>domains@example.com</contact:upID>
<contact:upDate>2011-01-19T13:48:20</contact:upDate>
</contact:infData>
</account:contact>
<account:clID>TEST</account:clID>
<account:crID>TEST</account:crID>
<account:crDate>2011-01-19T13:48:20</account:crDate>
</account:infData>
</domain:account>
<domain:ns>
<domain:host>
<domain:hostName>ns0.example.com</domain:hostName>
</domain:host>
</domain:ns>
<domain:clID>TEST</domain:clID>
<domain:crID>TEST</domain:crID>
<domain:crDate>2010-01-19T13:48:20</domain:crDate>
<domain:exDate>2012-01-19T13:48:20</domain:exDate>
</domain:infData>
<secDNS:infData
xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1"
xsi:schemaLocation="urn:ietf:params:xml:ns:secDNS-1.1 secDNS-1.1.xsd">
<secDNS:dsData>
<secDNS:keyTag>123</secDNS:keyTag>
<secDNS:alg>5</secDNS:alg>
<secDNS:digestType>1</secDNS:digestType>
<secDNS:digest>0123456789ABCDEF0123456789ABCDEF12345678</secDNS:digest>
</secDNS:dsData>
</secDNS:infData>
</resData>
<trID>
<clTRID>EPP-XYZ-99900</clTRID>
<svTRID>131580</svTRID>
</trID>
</response>
</epp>
<domain:list>
Example response including 1 domain with 2 DS records:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/epp-1.0 epp-1.0.xsd">
<response>
<result code="1000">
<msg>Command completed successfully</msg>
</result>
<resData>
<domain:listData
xmlns:domain="http://www.nominet.org.uk/epp/xml/nom-domain-2.1"
xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/nom-domain-2.1 nom-domain-2.1.xsd"
no-domains="1">
<domain:infData
xmlns:domain="http://www.nominet.org.uk/epp/xml/nom-domain-2.1"
xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/nom-domain-2.1 nom-domain-2.1.xsd">
<domain:name>epp-example.co.uk</domain:name>
<domain:reg-status>Registered until expiry date.</domain:reg-status>
<domain:account>
<account:infData
xmlns:account="http://www.nominet.org.uk/epp/xml/nom-account-2.0"
xmlns:contact="http://www.nominet.org.uk/epp/xml/nom-contact-2.0">
<account:roid>111057-UK</account:roid>
<account:name>Mr R. Strant</account:name>
<account:type>UNKNOWN</account:type>
<account:opt-out>N</account:opt-out>
<account:addr>
<account:street>2 Test Street</account:street>
<account:city>Test City</account:city>
<account:county>Testshire</account:county>
<account:postcode>TE57 1NG</account:postcode>
<account:country>GB</account:country>
</account:addr>
<account:contact order="1">
<contact:infData>
<contact:roid>C124821-UK</contact:roid>
<contact:name>Mr R. Strant</contact:name>
<contact:phone>01234 56789<0/contact:phone>
<contact:email>r.strant@strant.co.uk</contact:email>
<contact:clID>TEST</contact:clID>
<contact:upID>domains@example.com</contact:upID>
<contact:upDate>2011-01-19T13:48:22</contact:upDate>
</contact:infData>
</account:contact>
<account:clID>TEST</account:clID>
<account:crID>domains@example.com</account:crID>
<account:crDate>2011-01-19T13:48:22</account:crDate>
</account:infData>
</domain:account>
<domain:clID>TEST</domain:clID>
<domain:crID>TEST</domain:crID>
<domain:crDate>2010-01-19T13:48:22</domain:crDate>
<domain:exDate>2012-01-19T13:48:22</domain:exDate>
<secDNS:infData
xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1"
xsi:schemaLocation="urn:ietf:params:xml:ns:secDNS-1.1 secDNS-1.1.xsd">
<secDNS:dsData>
<secDNS:keyTag>10011</secDNS:keyTag>
<secDNS:alg>5</secDNS:alg>
<secDNS:digestType>1</secDNS:digestType>
<secDNS:digest>38DC35D5B3A34F44C39B38EC35D5B3A34B44C39B</secDNS:digest>
</secDNS:dsData>
</secDNS:infData>
<secDNS:infData
xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1"
xsi:schemaLocation="urn:ietf:params:xml:ns:secDNS-1.1 secDNS-1.1.xsd">
<secDNS:dsData>
<secDNS:keyTag>10012</secDNS:keyTag>
<secDNS:alg>3</secDNS:alg>
<secDNS:digestType>1</secDNS:digestType>
<secDNS:digest>39EC35D5B3B34B44C39B38EC35D5B3A34B44C39B</secDNS:digest>
</secDNS:dsData>
</secDNS:infData>
</domain:infData>
</domain:listData>
</resData>
<trID>
<clTRID>EPP-XYZ-99900</clTRID>
<svTRID>131619</svTRID>
</trID>
</response>
</epp>
- Error messages
- ~ Check
- ~ Create
- ~ Delete
- ~ Fork
- ~ Hello
- ~ Info
- ~ List
- ~ Login
- ~ Logout
- ~ Poll
- ~ Renew
- ~ Tag list
- ~ Transfer
- ~ Lock - investigation
- ~ Lock - opt-out
- ~ Unlock
- ~ Unrenew
- ~ Update
- Notifications Overview
- ~ Abuse Notification
- ~ Amend Account Details
- ~ Domain Cancelled
- ~ Domains Released
- ~ Handshake Rejected
- ~ Handshake Request
- ~ Hosts cancelled
- ~ Poor Quality Data
- ~ Domain suspended
- ~ Referral Accept
- ~ Referral Reject
- ~ Registrant Change
- ~ Registrar Change
- Schemas
- DNSSEC Operations
- ~ Reseller Commands
- Namespace URIs
- Domain name list elements